5 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE‑2026‑21902: A critical remote code execution vulnerability affects Juniper Junos OS Evolved on PTX Series routers, allowing unauthenticated attackers to execute code as root via an externally exposed anomaly‑detection service. While no active exploitation has been reported, Juniper has released fixed versions, and immediate patching is strongly recommended. Organizations unable to upgrade should restrict access to the affected service and consider disabling the anomaly‑detection feature as a temporary mitigation.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Unauthenticated Remote Code Execution as Root in Juniper Junos OS Evolved
(PTX Series)
CVSS Score: 9.8 (Critical, CVSS v3.1)
Identifier: CVE-2026-21902
PoC or Exploitation:
Juniper has stated it was not aware of active malicious exploitation at the time of disclosure.
Update / Patch: This vulnerability affects Junos OS Evolved on PTX Series routers only. Standard (non-Evolved) Junos OS is not affected.
Affected versions include:
Junos OS Evolved 25.4 releases prior to 25.4R1-S1-EVO and 25.4R2-EVO
Not affected:
Junos OS Evolved versions earlier than 25.4R1-EVO
Junos OS (non-Evolved)
Fixed versions reported by Juniper and public advisories include:
25.4R1-S1-EVO
25.4R2-EVO
26.2R1-EVO
Primary Juniper advisory reference:
https://kb.juniper.net/JSA107128
Description: CVE-2026-21902 is an incorrect permission assignment vulnerability in the On-Box Anomaly Detection framework in Juniper Junos OS Evolved on PTX Series routers. The affected service is intended to be accessible only by internal processes over an internal routing instance, but is reachable via an externally exposed port.
Mitigation Recommendation: Patch immediately by upgrading to a fixed Junos OS Evolved release appropriate for your PTX deployment.
If patching cannot be performed immediately, restrict access to the vulnerable service using firewall filters or ACLs so it is reachable only from trusted internal networks.
As a temporary mitigation, consider disabling the vulnerable anomaly detection service using Juniper guidance, for example: request pfe anomalies disable.
