CVE-2026-21902 - Vulnerability Details

- Junos OS Evolved: PTX Series: A vulnerability allows a unauthenticated, network-based attacker to execute code as root

Description

An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to execute code as root.

The On-Box Anomaly detection framework should only be reachable by other internal processes over the internal routing instance, but not over an externally exposed port. With the ability to access and manipulate the service to execute code as root a remote attacker can take complete control of the device.
Please note that this service is enabled by default as no specific configuration is required.

This issue affects Junos OS Evolved on PTX Series:

* 25.4 versions before 25.4R1-S1-EVO, 25.4R2-EVO.

This issue does not affect Junos OS Evolved versions before 25.4R1-EVO.

This issue does not affect Junos OS.

Published: 2026-02-25

Score: 9.3 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An incorrect permission assignment in the On‑Box Anomaly detection framework allows an unauthenticated, network‑based attacker to access a service that should be reachable only by internal processes. Because the service is enabled by default, an attacker can manipulate it to execute arbitrary code with root privileges, effectively taking full control of the device.

Affected Systems

The vulnerability affects Juniper Networks Junos OS Evolved on PTX Series devices, specifically the PTX models listed in the CPE data (PTX10001-36mr, PTX10002-36qdd, PTX10003, PTX10004, PTX10008, PTX10016). Versions 25.4 earlier than 25.4R1‑S1‑EVO and 25.4R2‑EVO are impacted; later releases and versions before 25.4R1‑EVO are not.

Risk and Exploitability

The CVSS score is 9.3, indicating critical severity. EPSS is reported as less than 1%, implying a very low but non‑zero probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Given the network‑based attack vector and the fact that the service is widely exposed by default, the risk of exploitation remains high until a patch is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Juniper Networks

Junos OS Evolved

unaffected

Version	Status	Constraints
`25.4`	affected	< 25.4R1-S1-EVO, 25.4R2-EVO
`0`	unaffected	< 25.4R1-EVO

Configuration 1 [-]

AND

cpe:2.3:o:juniper:junos_os_evolved:25.4:r1:*:*:*:*:*:*

OR	cpe:2.3:h:juniper:ptx10001-36mr:-:::::::*
	cpe:2.3:h:juniper:ptx10002-36qdd:-:::::::*
	cpe:2.3:h:juniper:ptx10003:-:::::::*
	cpe:2.3:h:juniper:ptx10004:-:::::::*
	cpe:2.3:h:juniper:ptx10008:-:::::::*
	cpe:2.3:h:juniper:ptx10016:-:::::::*

No data.

Vendor Product Confidence Versions

Juniper Networks

Junos Os Evolved

100%

Version	Status	Scheme	Platform
`[25.4,25.4R1-S1-EVO)`	affected	generic	['ptx_series']
`[25.4,25.4R2-EVO)`	affected	generic	['ptx_series']
`[0,25.4R1-EVO)`	unaffected	generic	['ptx_series']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

The following software releases have been updated to resolve this specific issue: 25.4R1-S1-EVO, 25.4R2-EVO*, 26.2R1-EVO*, and all subsequent releases. * Future Release

Vendor Workaround

To reduce the risk of exploitation of this issue, use access lists or firewall filters to limit access to only trusted networks and hosts. Please ensure such filters only permit explicitly required connections and block all others. Also this service can be disabled by 'request pfe anomalies disable'.

OpenCVE Recommended Actions

Apply the latest Junos OS release (25.4R1‑S1‑EVO, 25.4R2‑EVO, 26.2R1‑EVO, or later) to resolve the issue.
Configure access lists or firewall filters to limit external access to the anomaly detection service, allowing only trusted networks and hosts.
Disable the service with the command ‘request pfe anomalies disable’ until a patch can be applied.

Generated by OpenCVE AI on April 16, 2026 at 16:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact Low

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00094.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/watchtowrlabs/watchTowr-vs-JunosEvolved-CVE-2026-21902/blob/main/watchTowr-vs-JunosEvolved-CVE-2026-21902.py
https://kb.juniper.net/JSA107128
https://supportportal.juniper.net/JSA107128

History

Mon, 30 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Juniper Juniper junos Os Evolved Juniper ptx10001-36mr Juniper ptx10002-36qdd Juniper ptx10003 Juniper ptx10004 Juniper ptx10008 Juniper ptx10016
CPEs		cpe:2.3:h:juniper:ptx10001-36mr:-:::::::* cpe:2.3:h:juniper:ptx10002-36qdd:-:::::::* cpe:2.3:h:juniper:ptx10003:-:::::::* cpe:2.3:h:juniper:ptx10004:-:::::::* cpe:2.3:h:juniper:ptx10008:-:::::::* cpe:2.3:h:juniper:ptx10016:-:::::::* cpe:2.3:o:juniper:junos_os_evolved:25.4:r1::::::
Vendors & Products		Juniper Juniper junos Os Evolved Juniper ptx10001-36mr Juniper ptx10002-36qdd Juniper ptx10003 Juniper ptx10004 Juniper ptx10008 Juniper ptx10016

Tue, 03 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
References		https://github.com/watchtowrlabs/watchTowr-vs-JunosEvolved-CVE-2026-21902/blob/main/watchTowr-vs-JunosEvolved-CVE-2026-21902.py
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 26 Feb 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Juniper Networks Juniper Networks junos Os Evolved
Vendors & Products		Juniper Networks Juniper Networks junos Os Evolved

Thu, 26 Feb 2026 06:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 25 Feb 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to execute code as root. The On-Box Anomaly detection framework should only be reachable by other internal processes over the internal routing instance, but not over an externally exposed port. With the ability to access and manipulate the service to execute code as root a remote attacker can take complete control of the device. Please note that this service is enabled by default as no specific configuration is required. This issue affects Junos OS Evolved on PTX Series: * 25.4 versions before 25.4R1-S1-EVO, 25.4R2-EVO. This issue does not affect Junos OS Evolved versions before 25.4R1-EVO. This issue does not affect Junos OS.
Title		Junos OS Evolved: PTX Series: A vulnerability allows a unauthenticated, network-based attacker to execute code as root
Weaknesses		CWE-732
References		https://kb.juniper.net/JSA107128 https://supportportal.juniper.net/JSA107128
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/AU:Y/R:U/RE:M/U:Red'}`

Subscriptions

Juniper Junos Os Evolved Ptx10001-36mr Ptx10002-36qdd Ptx10003 Ptx10004 Ptx10008 Ptx10016

Juniper Networks Junos Os Evolved

MITRE

Status: PUBLISHED

Assigner: juniper

Published: 2026-02-25T16:59:10.672Z

Updated: 2026-03-04T04:55:12.668Z

Reserved: 2026-01-05T17:32:48.709Z

Link: CVE-2026-21902

Vulnrichment

Updated: 2026-02-25T19:14:22.032Z

NVD

Status : Analyzed

Published: 2026-02-25T18:23:40.360

Modified: 2026-03-30T15:16:05.537

Link: CVE-2026-21902

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T16:15:08Z

Weaknesses

CWE-732

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact Low

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object