CVE-2025-59958
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-09

Last updated on: 2025-10-14

Assigner: Juniper Networks, Inc.

Description
An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to cause impact to confidentiality and availability. When an output firewall filter is configured with one or moreΒ terms where the action is 'reject', packets matching these terms areΒ erroneously sent to the Routing Engine (RE) and further processed there.Β Processing of these packets will consume limited RE resources. Also responses from the RE back to the source of this traffic could reveal confidential information about the affected device. This issue only applies to firewall filters applied to WAN or revenue interfaces, so not the mgmt or lo0 interface of the routing-engine, nor any input filters. This issue affects Junos OS Evolved on PTX Series: * all versions before 22.4R3-EVO, * 23.2 versions before 23.2R2-EVO.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-09
Last Modified
2025-10-14
Generated
2026-06-16
AI Q&A
2025-10-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59958
EUVD
EUVD-2025-33399
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
juniper junoss_evolved *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an improper check for unusual or exceptional conditions in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS Evolved on PTX Series. When an output firewall filter with 'reject' action terms is applied to WAN or revenue interfaces, packets that match these terms are mistakenly sent to the Routing Engine (RE) instead of being dropped. The RE then processes these packets, consuming its limited resources. Additionally, responses from the RE to the source of this traffic could reveal confidential information about the device. This issue does not affect management or loopback interfaces or input filters.

Impact Analysis

This vulnerability can impact you by causing a loss of confidentiality and availability. Specifically, the Routing Engine's limited resources may be consumed by processing packets that should have been rejected, potentially leading to degraded device performance or availability issues. Furthermore, the responses sent back to the source of the rejected traffic could leak confidential information about the affected device.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59958. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart