CVE-2026-21902: Juniper Junos OS Evolved Pre-Auth RCE — Full Router Takeover & How to Fix It

Executive Summary

CVE-2026-21902 is a critical pre-authentication remote code execution (RCE) vulnerability in Juniper Networks PTX Series routers running Junos OS Evolved, carrying a CVSS v3.1 score of 9.8. An unauthenticated remote attacker can send crafted requests to an externally exposed internal service to execute arbitrary code as root, achieving complete device takeover with no user interaction required. Patches have been released and organizations running affected Junos OS Evolved 25.4.x versions should apply them immediately — or apply the documented workaround — given the ease of weaponization.

---

1. What Is This Vulnerability?

CVE-2026-21902 is rooted in CWE-732: Incorrect Permission Assignment for Critical Resource. Junos OS Evolved includes an On-Box Anomaly Detection framework — an internal telemetry and monitoring service — that is intended to be accessible only by local kernel processes through an internal routing instance. However, due to a misconfiguration introduced in the 25.4.x release branch, this service is inadvertently exposed on an externally reachable network port with no authentication enforced.

Because the service runs with root privileges and accepts unauthenticated input from the network, an attacker who discovers the open port can craft requests that trigger arbitrary code execution at the highest privilege level on the device.

The vulnerability was disclosed by Juniper Networks via an internal security review and coordinated advisory in February/March 2026. No CVE-specific exploit code has been publicly released, but the attack surface is straightforward enough to be weaponized rapidly once the open port is fingerprinted.

Attack Vector

1. Attacker performs network reconnaissance (e.g., via Shodan, Censys, or targeted port scanning) to identify PTX routers with the vulnerable Junos OS Evolved version.
2. Attacker identifies the exposed Anomaly Detection service port (internal service unintentionally listening on an external interface).
3. Attacker sends a crafted unauthenticated request to the service — no credentials, no interaction from an authenticated operator needed.
4. The service processes the malicious input and executes attacker-controlled code as root.
5. With root access, the attacker can exfiltrate configuration, install backdoors, manipulate routing tables, pivot laterally, or cause a full denial of service.

Real-World Impact

No confirmed in-the-wild exploitation has been reported as of the publication of this advisory. However, PTX Series routers are high-throughput backbone-class devices commonly deployed in carrier networks, large enterprise WANs, and internet exchange points (IXPs). A successful exploit against even one such router could allow an attacker to intercept or reroute massive volumes of traffic, making this a high-value target for nation-state actors and sophisticated threat groups. The combination of pre-authentication access and root-level execution makes rapid in-the-wild exploitation a realistic near-term risk.

---

2. Who Is Affected?

Affected:

• Juniper Networks PTX Series Routers
• Running Junos OS Evolved versions in the 25.4.x release train, specifically:
  • All 25.4R1-EVO releases (up to but not including 25.4R1-S1-EVO)
  • All 25.4Rx releases prior to 25.4R2-EVO

Not Affected:

• Junos OS Evolved releases before 25.4R1-EVO (the vulnerable code was not present)
• Junos OS Evolved 25.4R1-S1-EVO and later
• Junos OS Evolved 25.4R2-EVO and later
• Junos OS Evolved 26.2R1-EVO and later
• All standard (non-Evolved) Junos OS versions on any platform — only the "Evolved" variant is affected

Organizations running PTX Series hardware on earlier Junos OS Evolved release trains (e.g., 23.x, 24.x) are not directly vulnerable, but should still validate their running version and review Juniper's advisory for any additional guidance.

---

3. How to Detect It (Testing)

Manual Testing Steps

Step 1 — Check your Junos OS Evolved version: Log in to the device and run:

show version

Look for output identifying the OS as Junos OS Evolved and the release. If you see 25.4R1-EVO without the -S1 service patch suffix, or any 25.4Rx version below 25.4R2-EVO, the device is potentially vulnerable.

Step 2 — Check whether the anomaly detection service is running:

show pfe anomalies status

If the service is active and the device is on a vulnerable release, it is exposed.

Step 3 — Check for unexpected open ports: From a trusted management host, run a port scan against the router's management and data-plane interfaces:

nmap -sV -p 1-65535 <router-management-ip>

Look for any unexpected listening service on a port not explicitly part of your standard Junos services (SSH/830, NETCONF/831, etc.). Cross-reference with Juniper's advisory for the specific port used by the Anomaly Detection framework.

Step 4 — Check Juniper advisory for your specific hardware/line card combination: Different PTX line cards may expose the service on different ports. Validate against the Juniper Security Advisory JSA92874 for your exact hardware.

Automated Scanning

Tool: runZero (network discovery) or Nessus / Tenable.io

runZero Query:

os.vendor:"Juniper" AND os.family:"Junos OS Evolved" AND hw.model:~"PTX"

runZero has published a detection fingerprint specifically for CVE-2026-21902; refer to their blog post for configuration details.

Nessus: Search for plugin targeting CVE-2026-21902 in your plugin feed after updating your Nessus/Tenable.sc installation. Run a credentialed scan against affected subnets.

Expected output: Any PTX device returning the vulnerable Junos OS Evolved version string during credentialed enumeration should be flagged.

Code Review / Configuration Checklist

• Confirm show version output on all PTX devices running Junos OS Evolved
• Verify no PTX device is on a 25.4R1-EVO build without the -S1 service patch
• Confirm firewall filters are applied to management and out-of-band interfaces to restrict access to trusted prefixes only
• Validate show pfe anomalies status output — service should be disabled if patching is delayed
• Review routing policy to ensure the internal routing instance used by the Anomaly Detection service cannot be reached from untrusted networks

---

4. How to Fix It (Mitigation)

Option A — Apply the Patch (Recommended)

Upgrade to one of the following fixed Junos OS Evolved releases:

Fixed Release	Notes
25.4R1-S1-EVO	Service patch for the 25.4R1 train
25.4R2-EVO	Next maintenance release, also fixed
26.2R1-EVO	Current major release, unaffected

Step-by-Step Upgrade Procedure:

1. Back up the current configuration:

   request system snapshot
   save /var/home/admin/config-backup-pre-patch.conf
   

2. Download the fixed Junos OS Evolved image from Juniper Support Portal (requires a valid support contract).

3. Transfer the image to the router:

   scp junos-evo-25.4R1-S1.tgz admin@<router-ip>:/var/tmp/
   

4. Verify image integrity using the published MD5/SHA256 checksums from Juniper's advisory.

5. Install the upgrade:

   request system software add /var/tmp/junos-evo-25.4R1-S1.tgz
   

6. Schedule a maintenance window and reboot:

   request system reboot
   

7. Verify post-upgrade:

   show version
   show pfe anomalies status
   

Option B — Disable the Vulnerable Service (Workaround — if patching is delayed)

If an immediate upgrade is not feasible, disable the On-Box Anomaly Detection service:

request pfe anomalies disable

Verify it is no longer running:

show pfe anomalies status

Note: Disabling this service may reduce visibility into certain hardware anomaly events. Evaluate operational impact before applying in production.

Option C — Restrict Access with ACLs / Firewall Filters

If neither patching nor disabling the service is immediately possible, restrict access to the exposed port using a Junos firewall filter:

firewall {
    family inet {
        filter PROTECT-RE {
            term ALLOW-TRUSTED-MGMT {
                from {
                    source-address {
                        192.168.100.0/24;  # Replace with your trusted management prefix
                    }
                }
                then accept;
            }
            term DENY-ALL {
                then {
                    discard;
                    log;
                    syslog;
                }
            }
        }
    }
}
interfaces {
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input PROTECT-RE;
                }
            }
        }
    }
}

Apply the filter and commit:

commit confirmed 5

(The confirmed 5 flag gives you a 5-minute window to roll back if the filter breaks connectivity.)

---

5. How to Test the Fix (Validation)

Regression Test Scenarios

• Scenario A: Attempt to reach the Anomaly Detection service port from an untrusted external IP — connection should be refused or silently dropped.
• Scenario B: Confirm that legitimate Junos management functions (SSH, NETCONF, CLI) continue to work normally for authorized users.
• Scenario C: Re-run show version to confirm the patched release string is present and no rollback occurred.

Security Test Cases

Test Case 1: Verify the service is no longer reachable from untrusted hosts

• Precondition: Patch applied or service disabled or ACL in place
• Steps: From an external/untrusted IP, attempt to connect to the previously exposed port identified in the Juniper advisory
• Expected Result: Connection times out or is refused; no service banner returned

Test Case 2: Verify root execution is not possible via unauthenticated request

• Precondition: Patch applied (25.4R1-S1-EVO or later)
• Steps: If a proof-of-concept test harness is available in a lab environment, attempt the crafted request that previously triggered code execution
• Expected Result: Request is rejected; no command output returned; no unexpected process spawned (verify via show system processes)

Test Case 3: Verify operational continuity

• Precondition: Post-patch, with anomaly detection service active
• Steps: Validate BGP session states, interface statistics, and routing table integrity
• Expected Result: All routing sessions stable; no unexpected route withdrawals or interface flaps

Automated Validation

# Quick check: confirm no unexpected open ports on the device post-patch
nmap -sV --version-intensity 5 -p 1-65535 <router-ip> \
  | grep -v "filtered\|closed" \
  | tee juniper-post-patch-scan-$(date +%Y%m%d).txt

# Diff against pre-patch baseline scan to confirm only expected changes
diff juniper-pre-patch-scan.txt juniper-post-patch-scan-$(date +%Y%m%d).txt

---

6. Prevention & Hardening

Best Practices

Practice 1 — Never expose router management or internal service ports to the public internet. PTX routers and all network infrastructure should sit behind a dedicated out-of-band management network. Management interfaces should only be reachable from explicitly whitelisted jump hosts or management VLANs.

Practice 2 — Enforce the Juniper hardened RE protection filter. Juniper's Day One: Hardening Junos Devices guide provides a comprehensive Routing Engine protection filter. Apply it to the loopback interface on all PTX devices.

Practice 3 — Adopt a structured patch management cadence for network infrastructure. Network OS patches are frequently delayed compared to server/endpoint patching. Establish a quarterly review cycle aligned with Juniper's release schedule, with emergency patching procedures triggered by critical CVEs (CVSS ≥ 9.0).

Practice 4 — Use network segmentation to limit blast radius. Even if a router is compromised, lateral movement should be constrained. Segment your network into security zones and enforce inter-zone access policies.

Practice 5 — Monitor for unusual routing changes. Deploy BGP monitoring and route-change alerting (e.g., via RIPE Stat, BGPmon, or your NMS) to catch unexpected route hijacking or manipulation that could indicate a compromised router.

Monitoring & Detection

Even before patching, the following indicators can signal exploitation attempts or success:

• Unexpected new processes visible in show system processes — particularly short-lived or unknown processes running as root
• Anomalous BGP state changes — route withdrawals or path preference changes not initiated by your operators
• Unexpected SSH sessions or configuration changes not tracked in your change management system
• Syslog entries from the PFE (Packet Forwarding Engine) or the Anomaly Detection daemon with unusual error codes or payloads
• Out-of-band port scan results showing open ports not in your baseline

Configure syslog export to a centralized SIEM and alert on:

daemon.*: pfe-anomaly-daemon
kernel: Anomaly Detection

---

References

• CVE Entry: CVE-2026-21902 — NVD
• Juniper Advisory (JSA92874): Juniper Support Portal
• BleepingComputer Coverage: Critical Juniper Networks PTX flaw allows full router takeover
• SecurityWeek Coverage: Juniper Networks PTX Routers Affected by Critical Vulnerability
• watchTowr Labs Technical Write-Up: Sometimes, You Can Just Feel The Security In The Design
• runZero Detection Guide: Junos OS Evo CVE-2026-21902
• Rescana Analysis: CVE-2026-21902 Mitigation Steps
• Threat Intel Report: Critical Juniper PTX Junos OS Evolved flaw enables unauthenticated root takeover