Description
A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Juniper Networks Junos OS allows a local, authenticated attacker with low privileges to escalate their privileges to root which will lead to a complete compromise of the system.

When after a user has performed a specific 'file link ...' CLI operation, another user commits (unrelated configuration changes), the first user can login as root.

This issue affects Junos OS:
* all versions before 23.2R2-S7,
* 23.4 versions before 23.4R2-S6,
* 24.2 versions before 24.2R2-S3,
* 24.4 versions before 24.4R2-S2,
* 25.2 versions before 25.2R2.


This issue does not affect versions 25.4R1 or later.
Published: 2026-04-09
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

A vulnerable symbolic link handling in the Juniper Junos OS command line interface permits a local authenticated user with low privileges to exploit a symlink following flaw. The attacker can invoke a "file link" command, then another unrelated configuration commit by a different user causes the original user to become able to authenticate as root, effectively escalating privileges. This flaw is categorized as CWE‑61: Improper Restriction of Operations within a Pathname.

Affected Systems

The affected product is Juniper Networks Junos OS. All releases prior to 23.2R2‑S7, all 23.4 releases before 23.4R2‑S6, all 24.2 releases before 24.2R2‑S3, all 24.4 releases before 24.4R2‑S2, and all 25.2 releases before 25.2R2 are impacted. Version 25.4R1 and later do not contain the vulnerability.

Risk and Exploitability

The CVSS v3 score is 7.0, indicating high severity. EPSS information is not available, and the vulnerability is not listed in CISA KEV, meaning no known public exploitation is documented. The flaw requires local access with a low‑privileged account and the ability to perform a "file link" operation; once logged in, the attacker can trigger a session takeover and obtain root. Given the high impact of compromising the entire system and the lack of defensive measures beyond patching, the risk is significant.

Generated by OpenCVE AI on April 9, 2026 at 22:22 UTC.

Remediation

Vendor Solution

The following software releases have been updated to resolve this specific issue: 23.2R2-S7, 23.4R2-S6, 24.2R2-S3, 24.4R2-S2, 25.2R2, and all subsequent releases.

Vendor Workaround

To prevent exploitation, use access controls to keep users from performing 'file link' operations.

OpenCVE Recommended Actions

  • Apply a software update to Junos OS 23.2R2‑S7 or later versions, such as 23.4R2‑S6, 24.2R2‑S3, 24.4R2‑S2, 25.2R2 or any newer release.
  • As a temporary workaround, enforce access controls to prevent users from performing the 'file link' command.
  • Verify the running OS version and confirm that the patched release is in use.
  • Monitor system logs for any anomalous privilege escalation attempts.

Generated by OpenCVE AI on April 9, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://kb.juniper.net/JSA107807 cve-icon cve-icon
History

Fri, 17 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Juniper
Juniper junos
CPEs cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r1-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2-s3:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2-s4:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2-s5:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2-s6:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r1-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r2-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r2-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r2-s3:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r2-s4:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r2-s5:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:r1-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:r2-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:r2-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:r2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.4:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.4:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.4:r1-s3:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.4:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.4:r2-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.4:r2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:25.2:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:25.2:r1-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:25.2:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:25.2:r1:*:*:*:*:*:*
Vendors & Products Juniper
Juniper junos

Mon, 13 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Juniper Networks
Juniper Networks junos Os
Vendors & Products Juniper Networks
Juniper Networks junos Os

Thu, 09 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Juniper Networks Junos OS allows a local, authenticated attacker with low privileges to escalate their privileges to root which will lead to a complete compromise of the system. When after a user has performed a specific 'file link ...' CLI operation, another user commits (unrelated configuration changes), the first user can login as root. This issue affects Junos OS: * all versions before 23.2R2-S7, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions before 25.2R2. This issue does not affect versions 25.4R1 or later.
Title Junos OS: A low privileged user can escalate their privileges so that they can login as root
Weaknesses CWE-61
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/AU:Y/R:U/RE:M'}

Subscriptions

Juniper Junos
Juniper Networks Junos Os
cve-icon MITRE

Status: PUBLISHED

Assigner: juniper

Published:

Updated: 2026-04-13T13:04:16.395Z

Reserved: 2026-01-05T17:32:48.711Z

Link: CVE-2026-21916

cve-icon Vulnrichment

Updated: 2026-04-13T13:00:23.659Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T22:16:24.953

Modified: 2026-04-17T18:05:52.693

Link: CVE-2026-21916

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:28:15Z

Weaknesses