Critical Juniper Networks PTX flaw allows full router takeover
Source: Bleeping Computer
A critical vulnerability in the Junos OS Evolved network operating system running on PTX Series routers from Juniper Networks could allow an unauthenticated attacker to execute code remotely with root privileges.
The PTX Series routers are high‑performance core and peering routers built for high throughput, low latency, and scale. They are commonly used by internet service providers, telecommunication services, and cloud network applications.
The security issue is identified as CVE‑2026‑21902 and is caused by incorrect permission assignment in the On‑Box Anomaly Detection framework, which should be exposed to internal processes only over the internal routing interface. The glitch allows accessing the framework over an externally exposed port, as explained in Juniper’s security advisory.
Because the service runs as root and is enabled by default, successful exploitation would allow an attacker who is already on the network to take full control of the device without authentication.
Affected Versions
- Junos OS Evolved versions before 25.4R1‑S1‑EVO and 25.4R2‑EVO on PTX Series routers.
- Older versions may also be impacted, but Juniper does not assess releases that have reached end‑of‑engineering or end‑of‑life (EoL) status.
- Versions before 25.4R1‑EVO, and standard (non‑Evolved) Junos OS versions, are not impacted.
Juniper has delivered fixes in the following releases:
- 25.4R1‑S1‑EVO
- 25.4R2‑EVO
- 26.2R1‑EVO
The Security Incident Response Team (SIRT) stated that it was not aware of malicious exploitation of the vulnerability at the time of publishing the bulletin.
Mitigation
If immediate patching is not possible, Juniper recommends:
- Restrict access to the vulnerable endpoints to trusted networks only using firewall filters or Access Control Lists (ACLs).
- Disable the vulnerable service entirely:
request pfe anomalies disableRelated Security Incidents
- March 2025 – Chinese cyber‑espionage actors were reported deploying custom backdoors on EoL Junos OS MX routers to drop “TinyShell” backdoor variants.
- January 2025 – The “J‑magic” malware campaign targeted Juniper VPN gateways, deploying network‑sniffing malware that activates upon receiving a “magic packet.”
- December 2024 – Juniper Smart routers were targeted by Mirai botnet campaigns, becoming part of distributed denial‑of‑service (DDoS) swarms.