CVE-2026-21902 Overview
CVE-2026-21902 is a critical Incorrect Permission Assignment for Critical Resource vulnerability (CWE-732) affecting the On-Box Anomaly detection framework in Juniper Networks Junos OS Evolved on PTX Series devices. This vulnerability enables an unauthenticated, network-based attacker to execute arbitrary code with root privileges, leading to complete device compromise.
The On-Box Anomaly detection framework is designed to be accessible only by internal processes over the internal routing instance. However, due to improper permission assignment, the service is exposed over an externally accessible port. This misconfiguration allows remote attackers to access and manipulate the service, executing code as root and gaining complete control over vulnerable devices. Critically, this service is enabled by default with no specific configuration required, meaning all affected devices are vulnerable out of the box.
Critical Impact
Unauthenticated remote attackers can execute code as root, resulting in complete device takeover. The vulnerability is enabled by default and requires no user interaction to exploit.
Affected Products
- Juniper Networks Junos OS Evolved on PTX Series version 25.4 (before 25.4R1-S1-EVO, 25.4R2-EVO)
- Junos OS Evolved versions 25.4R1-EVO and later (until patched versions)
- Note: Junos OS (non-Evolved) and versions before 25.4R1-EVO are NOT affected
Discovery Timeline
- 2026-02-25 - CVE-2026-21902 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-21902
Vulnerability Analysis
This vulnerability stems from improper permission assignment on a critical network service within the Junos OS Evolved operating system. The On-Box Anomaly detection framework, which is intended to provide internal anomaly detection capabilities, fails to properly restrict network access to its service endpoints.
Under normal operation, this framework should only accept connections from other internal processes communicating over the internal routing instance. However, the vulnerable implementation exposes the service on an external port that can be reached by any network-based attacker. This exposure is compounded by the fact that the service runs with root privileges, meaning any successful exploitation grants the attacker the highest level of system access.
The attack surface is particularly concerning because PTX Series routers are typically deployed in core network infrastructure positions, making them high-value targets for attackers seeking to establish persistence or pivot within enterprise and service provider networks.
Root Cause
The root cause is classified as CWE-732 (Incorrect Permission Assignment for Critical Resource). The On-Box Anomaly detection framework service was deployed with overly permissive network access controls, binding to externally accessible network interfaces rather than being restricted to internal-only routing instances. This architectural oversight exposes a privileged service to untrusted network traffic without proper authentication or access controls.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker with network connectivity to a vulnerable PTX Series device running Junos OS Evolved 25.4R1-EVO can remotely access the exposed Anomaly detection framework service. By exploiting this service, the attacker can execute arbitrary commands with root privileges, enabling complete device compromise.
The attack scenario involves:
- Network reconnaissance to identify PTX Series devices running vulnerable Junos OS Evolved versions
- Direct connection to the exposed Anomaly detection framework service port
- Exploitation of the service to execute arbitrary code as root
- Full device takeover with persistence capabilities
Since this service is enabled by default, all PTX Series devices running the affected Junos OS Evolved versions are immediately vulnerable upon deployment without any additional configuration.
Detection Methods for CVE-2026-21902
Indicators of Compromise
- Unexpected network connections to the On-Box Anomaly detection framework service ports from external sources
- Unusual process execution or system calls initiated by the Anomaly detection framework
- Unauthorized modifications to system configuration files or firmware
- Presence of unrecognized user accounts or SSH keys on the device
- Anomalous outbound network traffic from PTX Series devices indicating potential command-and-control communication
Detection Strategies
- Monitor network traffic for external connections to internal-only services on PTX Series devices
- Implement network segmentation and firewall rules to detect unauthorized access attempts to management interfaces
- Deploy intrusion detection systems (IDS) with signatures for Junos OS Evolved exploitation attempts
- Review device logs for authentication failures or unusual service access patterns
- Utilize SentinelOne Singularity for network visibility and anomaly detection across infrastructure devices
Monitoring Recommendations
- Establish baseline network behavior for PTX Series devices and alert on deviations
- Enable comprehensive logging on Junos OS Evolved devices and forward logs to a centralized SIEM
- Monitor for process execution anomalies or privilege escalation events on network infrastructure
- Implement continuous vulnerability scanning to identify unpatched devices in the environment
How to Mitigate CVE-2026-21902
Immediate Actions Required
- Upgrade affected Juniper PTX Series devices to Junos OS Evolved versions 25.4R1-S1-EVO or 25.4R2-EVO or later
- Implement network access controls to restrict access to device management interfaces from trusted sources only
- Audit existing PTX Series deployments to identify devices running vulnerable Junos OS Evolved versions
- Review device configurations and logs for signs of prior exploitation
- Engage Juniper TAC for guidance on urgent mitigation if immediate patching is not possible
Patch Information
Juniper Networks has released patched versions of Junos OS Evolved to address this vulnerability. Affected organizations should upgrade to 25.4R1-S1-EVO, 25.4R2-EVO, or any subsequent release. The official security advisory is available at the Juniper Knowledge Base Advisory and Juniper Support Portal Advisory.
Workarounds
- Implement strict network access control lists (ACLs) to limit external access to PTX Series management interfaces
- Deploy the device behind a firewall that blocks unauthorized access to the Anomaly detection framework service ports
- Use out-of-band management networks to isolate device management traffic from production networks
- Consider disabling the On-Box Anomaly detection framework if not required (consult Juniper documentation for impact assessment)
# Example: Restrict management access using firewall filter (consult Juniper documentation for your specific configuration)
set firewall family inet filter PROTECT-RE term ALLOW-MGMT from source-prefix-list TRUSTED-MGMT-HOSTS
set firewall family inet filter PROTECT-RE term ALLOW-MGMT then accept
set firewall family inet filter PROTECT-RE term DENY-ALL then discard
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
