Junos OS PTX Flaw (CVE-2026-21902) Enables Remote Root RCE
A critical vulnerability in Junos OS Evolved, tracked as CVE-2026-21902, allows unauthenticated attackers to achieve remote root code execution (RCE) on affected PTX Series routers.
With CVSS v3.1 and v4.0 scores of 9.8 and 9.3, respectively, this flaw poses a severe threat to network infrastructure, particularly in data centers and service provider environments where PTX platforms handle massive traffic volumes.
The vulnerability stems from an Incorrect Permission Assignment fora critical resource (CWE-732) in the On-Box Anomaly Detection framework.
This component, designed for internal monitoring of packet forwarding engine (PFE) anomalies, exposes a service over an externally accessible port, contrary to its intended isolation within the internal routing instance.
Attackers can remotely reach this service without authentication, manipulate it, and execute arbitrary code with root privileges, granting full device compromise. Alarmingly, the service is activated by default and requires no user configuration.
Affected versions include Junos OS Evolved 25.4R1-S1-EVO and 25.4R2-EVO on PTX Series platforms. Earlier 25.4R1-EVO releases and non-Evolved Junos OS variants remain unaffected.
Juniper’s Security Incident Response Team (SIRT) confirmed the issue via internal testing, with no known malicious exploits to date. The advisory, published February 25, 2026, tracks it under internal ID 1914948.
CVSS breakdown underscores the risk: Network-accessible (AV: N), low complexity (AC:L), no privileged required (PR: N), no user interaction (UI: N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A: H). In CVSS v4.0 terms, it scores VA: H for vulnerable system availability, with moderate attacker requirements (R: M) and user impact (U: Red), reflecting real-world exploit potential.
Technical Deep Dive
PTX Series routers, optimized for 400G/800G core routing, rely on Evolved architecture for distributed control planes. The anomaly detection framework polls PFE telemetry for issues like buffer overflows or forwarding errors.
Due to misconfigured permissions, its UNIX domain socket or TCP endpoint binds to public interfaces, bypassing routing-instance segregation.
An attacker sends crafted packets to trigger buffer overflows or command injection, escalating to a root shell via setuid binaries or kernel escapes. Proof-of-concept exploits could leverage tools like Metasploit modules targeting similar Junos flaws.
Juniper urges immediate patching: Fixed in 25.4R1-S1-EVO, upcoming 25.4R2-EVO/26.2R1-EVO, and later releases. Per KB 16446, CVSS aligns with Juniper’s severity ratings. Note: End-of-Engineering/Support releases won’t receive fixes.
Mitigation Strategies
No full workaround exists, but operators can:
- Deploy ACLs or firewall filters restricting access to trusted IPs only.
- Issue CLI command:
request pfe anomalies disableto shut down the service.
Experts warn of cascading risks. “PTX compromise enables BGP hijacks or DDoS amplification,” says cybersecurity analyst Rajesh Kumar of Chennai-based NetSec Labs. “Service providers must audit exposures now.” This follows a string of Junos vulns, including last year’s RE curse RCE chain.
Site: cybersecuritypath.com
About the Author
