Summary
CVE-2026-21902 is a critical flaw in Junos OS Evolved on Juniper PTX routers. The On-Box Anomaly Detection service, meant for internal use, can be accessed externally, letting unauthenticated attackers run code as root. Enabled by default, it allows full device control. Affected versions are 25.4 before 25.4R1-S1-EVO and 25.4R2-EVO; patches are available.
Urgent Actions Required
- Upgrade Junos OS Evolved on affected Juniper PTX Series routers to the fixed releases, including 25.4R1-S1-EVO, 25.4R2-EVO, or later supported versions, to remediate CVE-2026-21902.
- If immediate patching cannot be performed, limit network access to the exposed service by applying firewall filters or Access Control Lists (ACLs) so that only trusted management networks can reach the device.
- As a temporary mitigation, where operationally acceptable, disable the vulnerable anomaly detection service using the command: request pfe anomalies disable
Which Systems Are Vulnerable to CVE-2026-21902?
Technical Overview
- Vulnerability Type: Incorrect Permission Assignment for Critical Resource leading to Unauthenticated Remote Code Execution
- Affected Software/Versions:
- Junos OS Evolved on Juniper PTX Series routers
- 25.4 versions prior to 25.4R1-S1-EVO
- 25.4 versions prior to 25.4R2-EVO
- Not Affected:
- Junos OS Evolved versions before 25.4R1-EVO
- Standard (non-Evolved) Junos OS
- CVSS Vector: v4.0
- Attack Vector (AV): Network
- Attack Complexity (AC): Low
- Attack Requirements (AT): None
- Privileges Required (PR): None
- User Interaction (UI): None
- Vulnerable System Confidentiality (VC): High
- Vulnerable System Integrity (VI): High
- Vulnerable System Availability (VA): High
- Subsequent System Confidentiality (SC): None
- Subsequent System Integrity (SI): None
- Subsequent System Availability (SA): Low
- Automatable (AU): Yes
- Recovery (R): User
- Vulnerability Response Effort (RE): Moderate
- Provider Urgency (U): Red
- Patch Availability: Yes, available
2026-02 Out-of-Cycle Security Bulletin: Junos OS Evolved: PTX Series: A vulnerability allows a unauthenticated, network-based attacker to execute code as root (CVE-2026-21902)
How Does the CVE-2026-21902 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2026-21902?
Vulnerability Root Cause:
CVE-2026-21902 arises from incorrect permission assignments in the On-Box Anomaly Detection Framework of Junos OS Evolved on PTX Series. The service, running as root and enabled by default, is intended for internal processes only but can be accessed externally. This misconfiguration allows unauthenticated network attackers to execute arbitrary code with root privileges, giving full control over the device without authentication or user interaction.
How Can You Mitigate CVE-2026-21902?
If immediate patching is delayed or not possible:
- Restrict service access with firewalls or ACLs to trusted networks.
- Block traffic to the Anomaly Detection service from untrusted sources.
- Temporarily disable the service using request pfe anomalies disable.
Which Assets and Systems Are at Risk?
- Asset Types Affected:
- PTX Series routers with affected Junos OS Evolved versions.
- Networks where the anomaly detection service is exposed.
- Business-Critical Systems at Risk:
- Service provider and telecom core routers.
- Cloud data centers using PTX Series for high-throughput traffic.
- Large enterprise backbone networks.
- Exposure Level:
- Network-accessible routers where the anomaly detection service is reachable from external or untrusted networks.
- Environments using affected Junos OS Evolved versions where the service remains enabled by default and has not yet been updated to patched releases.
Will Patching CVE-2026-21902 Cause Downtime?
Patch application impact: Minimal downtime; update Junos OS Evolved on PTX Series to 25.4R1-S1-EVO or 25.4R2-EVO.
Mitigation (if immediate patching is not possible): Restrict port 8160/TCP via ACLs or disable the service (request pfe anomalies disable) until patched.
How Can You Detect CVE-2026-21902 Exploitation?
Exploitation Signatures:
Look for traffic targeting port 8160/TCP on Juniper PTX devices, especially requests creating or modifying DAGs, commands, or DAG instances via the On-Box Anomaly Detection Framework API.
Indicators of Compromise (IOCs/IOAs):
- Unexpected files in /var/home/ or /tmp/ created by DAG commands (e.g., proof-of-execution files).
- Creation or modification of DAG, command, or handler configurations without authorization.
- API calls to /config/command/, /config/dag/, /config/dag-instance/, or /config/commit from untrusted networks.
Behavioral Indicators:
- Unauthenticated access triggering command execution on the router.
- Changes in scheduled DAG workflows or repeated execution of DAG instances without admin action.
Alerting Strategy:
- Priority: Critical
- Trigger alerts for:
- Access to the On-Box Anomaly Detection REST API from external/untrusted sources.
- Unexpected creation of DAGs, commands, or DAG instances.
- File creation in monitored directories by anomaly framework processes.
Remediation & Response
- Remediation Timeline:
- Immediate (0–2 hrs): Restrict access to port 8160/TCP using ACLs or firewall rules.
- Within 8 hrs: Upgrade Junos OS Evolved on PTX Series to 25.4R1-S1-EVO, 25.4R2-EVO, or later.
- Within 24 hrs: Verify no devices are running vulnerable versions and confirm port restrictions are effective.
- Rollback Plan:
- If the upgrade causes issues, revert to the previous stable version and maintain access restrictions on port 8160/TCP.
- Document rollback steps, including device, OS version, and the responsible engineer.
- Incident Response Considerations:
- Isolate affected devices to prevent unauthorized RCE via the anomaly framework.
- Collect logs of API requests to /config/command/, /config/dag/, /config/dag-instance/, and /config/commit.
- Check /var/home/ and /tmp/ for unexpected files created by DAG commands.
- Monitor the anomaly framework for unauthorized access and confirm mitigation after patching.
References:
