Critical Juniper PTX Junos OS Evolved flaw enables unauthenticated root takeover (CVE-2026-21902)

Incorrect permission assignment exposes an internal anomaly-detection service, enabling remote root code execution on affected PTX routers.

PTX • Junos OS Evolved • Router takeover • RCE

Metadata

• Affected vendor / product: Juniper Networks PTX Series running Junos OS Evolved
• Primary issue: Unauthenticated remote code execution as root via externally reachable internal service
• Exploitation status: No confirmed in-the-wild exploitation (vendor statement relayed via reporting)
• Severity: Critical (CVSS v3.1 9.8 from vendor) (NVD)
• Patch / mitigation status: Fixed releases available; workarounds include access restriction and disabling the service (BleepingComputer)
• Confidence level: High (vendor CNA text in NVD; corroborated by third-party reporting) (NVD)

Executive Summary

Juniper Networks has disclosed CVE-2026-21902, a critical vulnerability affecting PTX Series routers running Junos OS Evolved. The flaw stems from incorrect permission assignment in the On-Box Anomaly Detection framework, which is intended to be reachable only by internal processes but can become reachable over an externally exposed port, enabling unauthenticated attackers to execute code as root and take full control of the device. (NVD)

Affected versions are limited to specific 25.4 Junos OS Evolved builds (see below); Juniper indicates it is not aware of malicious exploitation at the time of bulletin publication (as reported). (BleepingComputer)

For operators, this is a high-priority patching event because successful compromise provides direct control-plane level access on core routing infrastructure commonly deployed in ISP, telecoms, and large-scale network environments. (BleepingComputer)

Context

CVE-2026-21902 is described in the NVD record using Juniper’s CNA-provided text as an Incorrect Permission Assignment for Critical Resource issue (CWE-732). The vulnerable component is the On-Box Anomaly Detection framework, which “should only be reachable by other internal processes over the internal routing instance, but not over an externally exposed port”. (NVD)

If an attacker can reach and manipulate this service, they can execute code as root. The service is reported as enabled by default with no specific configuration required, reducing the likelihood that “secure-by-configuration” alone will prevent exposure in all environments. (NVD)

Technical Analysis

Vulnerability mechanism

• Core issue: Incorrect permissions allow an internal service boundary to be broken, exposing an internal-only framework over a port that may be externally reachable. (NVD)
• Impact: Remote code execution as root, resulting in full device takeover. (NVD)
• Access requirements: The NVD record describes this as unauthenticated, network-based. Reporting also frames exploitability as dependent on network reachability to the exposed endpoint. (NVD)

Affected versions

Per the NVD record (Juniper CNA text), this affects Junos OS Evolved on PTX Series:

• 25.4 versions before 25.4R1-S1-EVO
• 25.4R2-EVO (NVD)

The issue does not affect:

• Junos OS Evolved versions before 25.4R1-EVO
• Junos OS (non-Evolved) (NVD)

Severity

Juniper’s CNA scoring in NVD lists:

• CVSS v3.1: 9.8 (Critical), vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD)
• CVSS v4.0 (CNA): 9.3 (Critical) (NVD)

Impact Assessment

A successful attacker gains root on the router, which in practical terms can enable:

• Configuration manipulation (routing policy, BGP peers, ACLs, telemetry/export targets)
• Traffic interception or redirection (subject to platform and deployment constraints)
• Credential and key material exposure stored on-device
• Service disruption via control-plane interference or reboot loops

PTX devices are commonly deployed in high-throughput edge, core, and peering roles; the operational blast radius can therefore extend beyond a single site to backbone connectivity depending on routing design and redundancy. (BleepingComputer)

Mitigation Recommendations

Patch

Prioritise upgrades to fixed releases identified in reporting, which states Juniper delivered fixes in:

• 25.4R1-S1-EVO
• 25.4R2-EVO
• 26.2R1-EVO (BleepingComputer)

Where possible, validate the exact fixed build for your platform and deployment using Juniper’s bulletin information via your normal vendor access route.

Workarounds and exposure reduction

Where immediate patching is not feasible, implement compensating controls:

• Restrict network access to the vulnerable endpoints using firewall filters or ACLs so only trusted management networks can reach them. (BleepingComputer)
• Disable the vulnerable service if operationally acceptable. Reporting cites Juniper’s command as:
  request pfe anomalies disable (BleepingComputer)

Operational hardening

• Ensure management and internal routing instances are not routable from untrusted segments.
• Review any control-plane policing and management-plane ACL baselines for PTX Junos OS Evolved estates.
• Add a change-control checkpoint for “internal services unexpectedly bound to reachable interfaces/VRFs” during upgrades and new deployments.

Incident Response Guidance

If you suspect exposure or compromise:

1. Constrain reachability immediately (ACLs / filters) to prevent further access attempts. (BleepingComputer)
2. Collect forensic artefacts: candidate/committed config diffs, recent authentication events, NETCONF/SSH logs, process/service status for anomaly-detection components, and any unexpected listening ports on the RE.
3. Validate routing integrity: neighbour sessions, route-policy changes, unexpected export targets (Flow/IPFIX/telemetry), and configuration commits outside planned windows.
4. Credential hygiene: rotate management credentials and review SSH keys and API tokens if the device was reachable from untrusted networks.
5. Rebuild trust: for high-confidence compromise, consider a controlled rebuild/reprovision of the affected node(s) and re-establish known-good configuration.

Threat Intelligence Context

MITRE ATT&CK mapping (observed / implied by vulnerability)

Further Reading

• BleepingComputer reporting on the Juniper PTX router takeover flaw (BleepingComputer)
• NVD entry for CVE-2026-21902 (includes Juniper CNA description and scoring) (NVD)