Executive Summary

A critical vulnerability, CVE-2026-21902, has been discovered in Juniper Networks PTX Series Routers running Junos OS Evolved. This flaw enables unauthenticated, remote attackers to execute arbitrary code as root, potentially resulting in a complete device takeover. The vulnerability stems from incorrect permission assignment in the On-Box Anomaly Detection framework, which is externally exposed by default. This exposure creates a significant risk for organizations relying on these routers for core network operations. Immediate remediation is strongly recommended to prevent potential exploitation and to safeguard critical infrastructure.

Technical Information

CVE-2026-21902 is classified as a critical vulnerability with a CVSS v3.1 base score of 9.8, reflecting its ease of exploitation and the severity of potential impact. The vulnerability is rooted in CWE-732: Incorrect Permission Assignment for Critical Resource. Specifically, the On-Box Anomaly Detection framework, which is designed to be accessed only by internal processes, is inadvertently exposed over an external port. This service operates with root privileges and is enabled by default, requiring no special configuration or authentication.

An attacker with network access to the affected router can exploit this exposure to execute arbitrary code as root. This grants the attacker full control over the device, including the ability to intercept, redirect, or disrupt network traffic, modify configurations, and establish persistent access for further malicious activity.

The affected products are Juniper Networks PTX Series Routers running Junos OS Evolved versions 25.4 prior to 25.4R1-S1-EVO and 25.4R2-EVO. Versions of Junos OS Evolved before 25.4R1-EVO and standard (non-Evolved) Junos OS are not affected. The vulnerability is present in all PTX Series routers running any Junos OS Evolved 25.4.x release prior to the fixed versions.

The attack vector is network-based, requiring only access to the exposed port. No authentication or user interaction is necessary, making this vulnerability particularly dangerous for internet-facing or externally accessible routers.

For further technical details, see the official advisories from Juniper Networks and the National Vulnerability Database.

Exploitation in the Wild

As of the latest public advisories, there is no evidence of active exploitation of CVE-2026-21902 in the wild. However, the criticality of the vulnerability, combined with the fact that the affected service is exposed by default and requires no authentication, makes it an attractive target for threat actors. The attack surface is significant, especially for organizations with PTX routers deployed in core network roles or exposed to untrusted networks.

Security researchers and vendors have emphasized the urgency of patching due to the potential for rapid weaponization. The vulnerability allows for remote code execution as root, which could facilitate a range of malicious activities, including traffic manipulation, data exfiltration, and lateral movement within the network.

Organizations should remain vigilant and monitor for signs of exploitation, as the publication of proof-of-concept code or automated scanning tools could quickly lead to widespread attacks.

APT Groups using this vulnerability

There is currently no public attribution of CVE-2026-21902 exploitation to any specific Advanced Persistent Threat (APT) groups. However, historical context indicates that Juniper Networks routers have been targeted by sophisticated threat actors in the past. Notably, Chinese cyber-espionage groups have conducted campaigns against Juniper devices, including the deployment of custom backdoors such as TinyShell variants and the "J-magic" campaign targeting VPN gateways in critical sectors like semiconductor, energy, manufacturing, and IT.

Additionally, Juniper routers have previously been compromised by botnets such as Mirai, which leveraged vulnerabilities for distributed denial-of-service (DDoS) attacks. Given the strategic importance of PTX routers in telecommunications and cloud infrastructure, it is highly likely that APT groups will seek to exploit this vulnerability if left unpatched.

Relevant MITRE ATT&CK techniques that could be leveraged in conjunction with this vulnerability include T1190 (Exploit Public-Facing Application), T1068 (Exploitation for Privilege Escalation), T1078 (Valid Accounts for persistence), and T1046 (Network Service Scanning).

Affected Product Versions

The vulnerability affects Juniper Networks PTX Series Routers running the following versions of Junos OS Evolved: all 25.4.x releases prior to 25.4R1-S1-EVO and 25.4R2-EVO. Specifically, any PTX Series router operating on Junos OS Evolved 25.4 before these fixed releases is vulnerable. Older versions may also be impacted but are not assessed if they are end-of-life (EoL).

Versions not affected include Junos OS Evolved releases before 25.4R1-EVO, Junos OS Evolved 25.4R1-S1-EVO and later, 25.4R2-EVO and later, and all standard (non-Evolved) Junos OS versions.

Organizations should conduct a thorough inventory of their PTX router deployments to identify any instances running vulnerable software versions.

Workaround and Mitigation

The primary remediation is to upgrade affected devices to a fixed version of Junos OS Evolved. The recommended versions are 25.4R1-S1-EVO, 25.4R2-EVO, or 26.2R1-EVO. Upgrading to these releases will eliminate the vulnerability by correcting the permission assignment and restricting external exposure of the On-Box Anomaly Detection framework.

If immediate patching is not feasible, organizations should implement compensating controls to mitigate risk. This includes restricting network access to the vulnerable service using firewall filters or access control lists (ACLs), limiting exposure to trusted management networks only. Additionally, the vulnerable service can be disabled with the following command: request pfe anomalies disable This action will prevent the On-Box Anomaly Detection framework from running and eliminate the attack vector until a patch can be applied.

Continuous monitoring for unusual connections to the service port, unexpected root-level processes, and unexplained device reboots or configuration changes is also advised. No specific indicators of compromise (IOCs) have been published for this vulnerability, but these behaviors may signal attempted exploitation.

For detailed remediation steps and official guidance, consult the Juniper Security Advisory JSA107128 and the NVD entry for CVE-2026-21902.

References

For further reading and authoritative sources on this vulnerability, please refer to the following:

BleepingComputer: Critical Juniper Networks PTX flaw allows full router takeover https://www.bleepingcomputer.com/news/security/critical-juniper-networks-ptx-flaw-allows-full-router-takeover/

NVD: CVE-2026-21902 https://nvd.nist.gov/vuln/detail/CVE-2026-21902

Juniper Security Advisory JSA107128 https://kb.juniper.net/JSA107128

SecurityWeek: Juniper Networks PTX Routers Affected by Critical Vulnerability https://www.securityweek.com/juniper-networks-ptx-routers-affected-by-critical-vulnerability/

CSO Online: Security hole could let hackers take over Juniper Networks PTX core routers https://www.csoonline.com/article/4138788/security-hole-could-let-hackers-take-over-juniper-networks-ptx-core-routers.html

Rescana is here for you

At Rescana, we understand the critical importance of timely, actionable intelligence in managing third-party and supply chain cyber risk. Our TPRM platform empowers organizations to continuously monitor, assess, and mitigate vulnerabilities across their digital ecosystem. While this advisory focuses on a specific threat to Juniper Networks PTX Series Routers, our broader mission is to help you stay ahead of emerging risks and maintain operational resilience. If you have any questions about this advisory or require assistance with your cybersecurity posture, our team is ready to help at ops@rescana.com.