The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-59960

CVE-2025-59960: Junos OS DHCP Service DoS Vulnerability

CVE-2025-59960 is a denial of service flaw in Juniper Networks Junos OS and Junos OS Evolved DHCP service that allows address pool exhaustion across subnets. This article covers technical details, affected versions, impact, and mitigation.

Published: January 23, 2026

CVE-2025-59960 Overview

CVE-2025-59960 is an Improper Check for Unusual or Exceptional Conditions vulnerability (CWE-754) affecting the Juniper DHCP service (jdhcpd) in Juniper Networks Junos OS and Junos OS Evolved. This flaw allows a DHCP client positioned in one subnet to exhaust the address pools of other subnets, resulting in a Denial of Service (DoS) condition on downstream DHCP servers.

The vulnerability stems from improper handling of DHCP Option 82 information in 'forward-only' mode. By default, the DHCP relay agent inserts its own Option 82 information when forwarding client requests, optionally replacing any Option 82 information provided by the client. When a specific DHCP DISCOVER packet is received in 'forward-only' mode with Option 82, the device should drop the message unless trust-option82 is configured. Instead, the DHCP relay improperly forwards these packets to the DHCP server unmodified, consuming addresses from the server's address pool and ultimately leading to pool exhaustion.

Critical Impact

An attacker on an adjacent network can exhaust DHCP address pools across multiple subnets, denying legitimate clients the ability to obtain IP addresses and disrupting network connectivity for affected segments.

Affected Products

  • Juniper Networks Junos OS: all versions before 21.2R3-S10, from 21.4 before 21.4R3-S12, all versions of 22.2, from 22.4 before 22.4R3-S8, from 23.2 before 23.2R2-S5, from 23.4 before 23.4R2-S6, from 24.2 before 24.2R2-S2, from 24.4 before 24.4R2, from 25.2 before 25.2R1-S1 / 25.2R2
  • Juniper Networks Junos OS Evolved: all versions before 21.4R3-S12-EVO, all versions of 22.2-EVO, from 22.4 before 22.4R3-S8-EVO, from 23.2 before 23.2R2-S5-EVO, from 23.4 before 23.4R2-S6-EVO, from 24.2 before 24.2R2-S2-EVO, from 24.4 before 24.4R2-EVO, from 25.2 before 25.2R1-S1-EVO / 25.2R2-EVO

Discovery Timeline

  • 2026-01-15 - CVE-2025-59960 published to NVD
  • 2026-01-16 - Last updated in NVD database

Technical Details for CVE-2025-59960

Vulnerability Analysis

This vulnerability represents a classic case of improper input validation in network protocol handling. The Juniper DHCP service (jdhcpd) fails to properly validate and reject DHCP DISCOVER packets containing client-supplied Option 82 information when operating in 'forward-only' mode without the trust-option82 configuration option enabled.

DHCP Option 82, also known as the DHCP Relay Agent Information option, is typically used by relay agents to insert circuit identification and remote identification information into DHCP requests. This information helps DHCP servers make intelligent address allocation decisions based on the client's physical location in the network topology.

The security model assumes that in 'forward-only' mode, packets with pre-existing Option 82 data should be discarded unless explicitly trusted. The vulnerability breaks this assumption, allowing malicious clients to craft DHCP DISCOVER packets with manipulated Option 82 information that causes the DHCP server to allocate addresses from unintended pools.

Root Cause

The root cause is an Improper Check for Unusual or Exceptional Conditions (CWE-754) in the jdhcpd service. The code path responsible for processing DHCP DISCOVER packets in 'forward-only' mode does not properly validate whether incoming packets already contain Option 82 information before forwarding them to the upstream DHCP server.

When the DHCP relay receives a DISCOVER packet with Option 82 already present, it should check the trust-option82 configuration. If this option is not enabled, the packet should be dropped. The flawed implementation bypasses this validation check, forwarding the packet with the attacker-controlled Option 82 information intact.

Attack Vector

The attack requires adjacent network access, meaning an attacker must be positioned on the same network segment or have the ability to send DHCP traffic to the vulnerable relay agent. The attack sequence involves:

  1. The attacker crafts DHCP DISCOVER packets containing fabricated Option 82 information that references address pools from different subnets
  2. These malicious packets are sent to the vulnerable Juniper device acting as a DHCP relay in 'forward-only' mode
  3. The relay improperly forwards these packets to the downstream DHCP server without stripping or validating the Option 82 information
  4. The DHCP server processes these requests and allocates addresses from the pools indicated by the spoofed Option 82 data
  5. Repeated exploitation exhausts address pools across multiple subnets, denying service to legitimate clients

The vulnerability is exploitable by sending specially crafted DHCP DISCOVER packets with manipulated Option 82 (Relay Agent Information) fields to a vulnerable Juniper DHCP relay operating in 'forward-only' mode. The relay fails to validate and drop these packets when trust-option82 is not configured, instead forwarding them unmodified to the DHCP server. This allows an attacker to influence address allocation from pools in different subnets, ultimately exhausting available addresses. For detailed technical information, refer to the Juniper Security Advisory JSA103149.

Detection Methods for CVE-2025-59960

Indicators of Compromise

  • Unexpected DHCP DISCOVER packets containing Option 82 information from client segments
  • Rapid depletion of DHCP address pools across multiple subnets without corresponding legitimate client activity
  • DHCP server logs showing address allocations to pools that don't match the originating relay agent's expected subnet
  • Increased DHCP NAK responses due to pool exhaustion

Detection Strategies

  • Monitor DHCP relay statistics for anomalous forwarding patterns, particularly DISCOVER packets with pre-existing Option 82 data
  • Implement DHCP server monitoring to detect rapid address pool consumption across multiple scopes
  • Configure network monitoring to alert on DHCP traffic volumes exceeding normal baselines
  • Review jdhcpd logs for unusual Option 82 processing behavior

Monitoring Recommendations

  • Enable detailed DHCP logging on Juniper devices to capture Option 82 handling events
  • Deploy network traffic analysis tools to monitor DHCP protocol behavior at relay points
  • Establish baseline metrics for DHCP pool utilization and alert on deviations
  • Consider implementing DHCP snooping on access switches to validate DHCP traffic

How to Mitigate CVE-2025-59960

Immediate Actions Required

  • Identify all Juniper Junos OS and Junos OS Evolved devices operating as DHCP relays in 'forward-only' mode
  • Review current software versions against the affected version list and prioritize patching
  • Consider enabling trust-option82 only where explicitly required and understood
  • Implement network segmentation to limit attacker access to DHCP relay interfaces

Patch Information

Juniper Networks has released patched versions addressing this vulnerability. Organizations should upgrade to the following minimum versions:

Junos OS:

  • 21.2R3-S10 or later (for versions before 21.4)
  • 21.4R3-S12 or later
  • 22.4R3-S8 or later
  • 23.2R2-S5 or later
  • 23.4R2-S6 or later
  • 24.2R2-S2 or later
  • 24.4R2 or later
  • 25.2R1-S1 or 25.2R2 or later

Junos OS Evolved:

  • 21.4R3-S12-EVO or later
  • 22.4R3-S8-EVO or later
  • 23.2R2-S5-EVO or later
  • 23.4R2-S6-EVO or later
  • 24.2R2-S2-EVO or later
  • 24.4R2-EVO or later
  • 25.2R1-S1-EVO or 25.2R2-EVO or later

Note: Version 22.2 and 22.2-EVO are listed as entirely affected; organizations running these versions should migrate to a supported release. Refer to the Juniper Security Advisory JSA103149 for complete patch details.

Workarounds

  • If forward-only mode is not strictly required, consider alternative DHCP relay configurations
  • Implement access control lists (ACLs) to restrict DHCP traffic to known legitimate sources
  • Deploy rate limiting on DHCP relay interfaces to slow potential exploitation attempts
  • Consider implementing DHCP server-side controls to limit allocations per relay circuit
bash
# Example: Check current DHCP relay configuration
show configuration forwarding-options dhcp-relay

# Example: Verify DHCP relay statistics for anomalies
show dhcp relay statistics

# Example: Review jdhcpd process status
show system processes extensive | match jdhcpd

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechJunos
  • SeverityMEDIUM
  • CVSS Score6.3
  • EPSS Probability0.03%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Amber
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-754
  • Technical References
  • Juniper Security Advisory JSA103149
  • Juniper Support Portal
  • Related CVEs
  • CVE-2026-21921: Juniper Networks Junos OS DoS Vulnerability
  • CVE-2025-59959: Juniper Junos OS rpd DoS Vulnerability
  • CVE-2026-21917: Juniper SRX Series DoS Vulnerability
  • CVE-2026-21914: Juniper Junos OS GTP Plugin DoS Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English