Description
A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS on MX Series allows a local, authenticated user with low privileges to execute specific commands which will lead to a complete compromise of managed devices.

Any user logged in, without requiring specific privileges, can issue 'request csds' CLI operational commands. These commands are only meant to be executed by high privileged or users designated for Juniper Device Manager (JDM) / Connected Security Distributed Services (CSDS) operations as they will impact all aspects of the devices managed via the respective MX.

This issue affects Junos OS on MX Series:



* 24.4 releases before 24.4R2-S3, 
* 25.2 releases before 25.2R2.




This issue does not affect Junos OS releases before 24.4.
Published: 2026-04-09
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation Leading to Full Device Compromise
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the Juniper Junos OS CLI on MX Series routers. It allows a local, authenticated user with low privileges to issue the 'request csds' commands. These commands are intended only for high privileged users or those designated for Juniper Device Manager (JDM) or Connected Security Distributed Services (CSDS) operations. Abuse of this flaw can result in a complete compromise of the managed device, affecting confidentiality, integrity and availability of the device and potentially all clients connected to it. The weakness is identified as a Missing Permissions vulnerability, CWE-862.

Affected Systems

The issue impacts Juniper Networks Junos OS on MX Series routers. Versions affected are 24.4 releases before 24.4R2-S3 and 25.2 releases before 25.2R2. Releases before 24.4 are not affected.

Risk and Exploitability

The CVSS base score is 6.3, indicating medium severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local authenticated access; any user logged into the device with low privileges can invoke the vulnerable commands, making exploitation trivial for an insider or an attacker who has obtained legitimate credentials. The risk is significant as the attacker can gain full control of the device.

Generated by OpenCVE AI on April 9, 2026 at 23:24 UTC.

Remediation

Vendor Solution

The following software releases have been updated to resolve this specific issue: 24.4R2-S3, 25.2R2, 25.4R1, and all subsequent releases.

Vendor Workaround

Use access lists or firewall filters to limit access to the CLI only from trusted hosts and administrators. Utilize CLI authorization to disallow execution of the 'request csds' commands.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for Junos OS: 24.4R2-S3, 25.2R2, 25.4R1, or any newer releases.
  • If patching is not immediately possible, restrict CLI access to trusted hosts and administrators using access lists or firewall filters.
  • Configure CLI authorization to disallow execution of 'request csds' commands for low‑privileged users.

Generated by OpenCVE AI on April 9, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://kb.juniper.net/JSA107872 cve-icon cve-icon
History

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Juniper Networks
Juniper Networks junos Os
Vendors & Products Juniper Networks
Juniper Networks junos Os

Thu, 09 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS on MX Series allows a local, authenticated user with low privileges to execute specific commands which will lead to a complete compromise of managed devices. Any user logged in, without requiring specific privileges, can issue 'request csds' CLI operational commands. These commands are only meant to be executed by high privileged or users designated for Juniper Device Manager (JDM) / Connected Security Distributed Services (CSDS) operations as they will impact all aspects of the devices managed via the respective MX. This issue affects Junos OS on MX Series: * 24.4 releases before 24.4R2-S3,  * 25.2 releases before 25.2R2. This issue does not affect Junos OS releases before 24.4.
Title Junos OS: MX Series: Missing Authorization for specific 'request' CLI commands in a JDM/CSDS scenario
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/AU:Y/R:U/RE:M'}

Subscriptions

Juniper Networks Junos Os
cve-icon MITRE

Status: PUBLISHED

Assigner: juniper

Published:

Updated: 2026-04-09T21:37:04.370Z

Reserved: 2026-03-23T19:46:13.670Z

Link: CVE-2026-33785

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T22:16:27.987

Modified: 2026-04-09T22:16:27.987

Link: CVE-2026-33785

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:27:49Z

Weaknesses