SRX4700 Junos OS CVE-2025-59964: Brief Summary of a Denial of Service via Uninitialized Resource

This post provides a brief summary of CVE-2025-59964, a high-severity Denial of Service vulnerability in Juniper Networks SRX4700 firewalls running specific Junos OS versions. The flaw is triggered when forwarding-options sampling is enabled and traffic destined for the Routing Engine is processed, resulting in a crash of the Packet Forwarding Engine line card. The post covers affected versions, technical details, and references for further investigation.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-09

SRX4700 Junos OS CVE-2025-59964: Brief Summary of a Denial of Service via Uninitialized Resource
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Traffic outages on core firewalls can disrupt business operations and expose critical infrastructure to risk. Juniper Networks SRX4700 firewalls, widely deployed in data centers and large enterprises, are affected by a high-severity Denial of Service vulnerability (CVE-2025-59964) that can be triggered remotely and without authentication. This issue is particularly significant for environments that rely on traffic sampling for monitoring or compliance, as the vulnerability is only exposed when forwarding-options sampling is enabled.

Juniper Networks is a leading global provider of networking and security solutions, with the SRX4700 representing its high-performance firewall platform. These devices are integral to securing large-scale enterprise and service provider networks, processing massive volumes of traffic and enforcing advanced security policies.

Technical Information

CVE-2025-59964 is a Use of Uninitialized Resource vulnerability (CWE-908) in the Packet Forwarding Engine (PFE) of Juniper Networks SRX4700 devices running Junos OS 24.4 before 24.4R1-S3 and 24.4R2. The flaw is specifically triggered when the forwarding-options sampling feature is enabled. In this configuration, if any traffic destined for the Routing Engine (RE) is received and processed by the PFE line card, the Flexible PIC Concentrator (FPC) will crash and restart. This results in a Denial of Service, as all traffic through the affected interfaces is interrupted during the restart. If an attacker continues to send RE-destined traffic, the FPC can be kept in a persistent crash loop, sustaining the outage.

Both IPv4 and IPv6 traffic are capable of triggering the vulnerability. The root cause is an uninitialized resource in the PFE's handling of exception traffic when sampling is active. No authentication is required to exploit this issue, and it can be triggered by any network-based attacker able to send traffic to the device. There are no public code snippets or stack traces available for this vulnerability. The issue is limited to the combination of forwarding-options sampling being enabled and RE-destined traffic being processed by the PFE.

Affected Systems and Versions

  • Product: Juniper Networks SRX4700
  • Software: Junos OS
  • Affected versions: 24.4 before 24.4R1-S3, 24.4R2
  • Vulnerable configuration: forwarding-options sampling enabled
  • Both IPv4 and IPv6 traffic can trigger the issue

Vendor Security History

Juniper Networks has previously addressed Denial of Service and resource management vulnerabilities in Junos OS. The company maintains a regular cadence of security advisories and typically provides timely patches and detailed remediation guidance. The SRX series has had other vulnerabilities in the past, but Juniper's response and communication are generally considered prompt and thorough.

References

Detect & fix
what others miss