CVE-2026-21902
📋 TL;DR
An unauthenticated remote code execution vulnerability in Juniper PTX Series routers allows attackers to execute arbitrary code as root by exploiting incorrect permissions in the On-Box Anomaly detection framework. This affects Junos OS Evolved 25.4 versions before 25.4R1-S1-EVO and 25.4R2-EVO on PTX Series devices. The service is enabled by default with no special configuration required.
💻 Affected Systems
- Juniper Networks PTX Series routers
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the router with root privileges, allowing full control over network traffic, configuration modification, persistence establishment, and lateral movement to other network segments.
Likely Case
Remote attacker gains root shell access on the router, enabling traffic interception, configuration changes, and potential use as a pivot point for further attacks.
If Mitigated
If properly segmented and firewalled, impact limited to the affected device only, though root compromise still allows significant damage to that device.
🎯 Exploit Status
Vulnerability allows unauthenticated network-based attackers to execute code as root, suggesting relatively straightforward exploitation once details are known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 25.4R1-S1-EVO or later
Vendor Advisory: https://kb.juniper.net/JSA107128
Restart Required: Yes
Instructions:
1. Download the patched version from Juniper support portal. 2. Backup current configuration. 3. Install the update following Juniper's upgrade procedures. 4. Reboot the device. 5. Verify the new version is running.
🔧 Temporary Workarounds
Block external access to anomaly detection service
allConfigure firewall rules to block external access to the On-Box Anomaly detection framework service port
set firewall family inet filter BLOCK-ANOMALY term BLOCK from source-address 0.0.0.0/0
set firewall family inet filter BLOCK-ANOMALY term BLOCK then discard
set interfaces <external-interface> unit 0 family inet filter input BLOCK-ANOMALY
Disable On-Box Anomaly detection if not needed
allCompletely disable the vulnerable service if anomaly detection functionality is not required
set system services anomaly-detection disable
🧯 If You Can't Patch
- Implement strict network segmentation to isolate PTX devices from untrusted networks
- Deploy intrusion prevention systems with signatures for Juniper exploits and monitor for anomalous traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check Junos OS Evolved version with 'show version' and verify if running 25.4 versions before 25.4R1-S1-EVO or 25.4R2-EVOCheck Version:
show version | match JunosVerify Fix Applied:
After patching, verify version is 25.4R1-S1-EVO or later with 'show version' command📡 Detection & Monitoring
Log Indicators:
- Unexpected connections to anomaly detection service
- Unauthorized configuration changes
- Root privilege escalation attempts
- Unusual process execution
Network Indicators:
- Traffic to anomaly detection service from external sources
- Unexpected outbound connections from PTX devices
- Anomalous protocol patterns to PTX management interfaces
SIEM Query:
source="juniper-firewall" AND (dest_port=anomaly_service_port OR action="block" AND dest_ip=PTX_device)