Juniper PTX Routers Patched Against Root RCE Vulnerability CVE-2026-21902

Home » News
Yash Shield
News
Reading time icon 2 min. read

Calendar icon Published on

Juniper Networks released emergency patches for CVE-2026-21902 in Junos OS Evolved 25.4 on PTX Series routers. Unauthenticated attackers could execute root-level code through the exposed On-Box Anomaly detection service. The flaw affects only PTX platforms with default settings enabled.

The vulnerability exposes a critical service meant for internal use only. External traffic reaches it due to wrong permission settings. No user interaction or authentication needed. Full router takeover becomes possible remotely.

Juniper discovered the issue during internal testing. No wild exploitation shows yet. Still network backbone devices demand immediate action. ISPs and enterprises run PTX routers at core locations.

Technical Breakdown

CVE-2026-21902 hits the anomaly detection framework. Default settings leave it exposed.

DetailInformation
CVE IDCVE-2026-21902
TypeRoot RCE via service exposure
AffectedJunos OS Evolved 25.4 PTX Series
CVSS ScoreCritical (9.8 estimated)
VectorNetwork remote, unauthenticated
DiscoveryJuniper internal security testing
Patched Versions25.4R1-S1-EVO, 25.4R2-EVO, 26.2R1-EVO

Service runs on external port by mistake. Internal routing instance should block access.

Vulnerable Configuration

Attack needs no special setup. Default install exposes the service:

  • On-Box Anomaly detection enabled
  • No authentication on management port
  • External traffic reaches internal service

Standard Junos OS stays safe. Only Evolved 25.4 on PTX hits.

Fix Options

Juniper provides three mitigation paths:

Immediate Patches:

25.4R1-S1-EVO
25.4R2-EVO  
26.2R1-EVO

Temporary Workarounds:
request pfe anomalies disable
Disables vulnerable service instantly.

Network Filters:

  • Firewall filters block anomaly port
  • Access lists limit trusted IPs only
  • Apply to external interfaces

Reboot required after firmware upgrade. Verify patch loaded correctly.

Enterprise Impact

Core routers handle massive traffic. Compromise disrupts:

  • ISP backbone connectivity
  • Enterprise WAN links
  • Data center switching

Root access enables traffic interception, DoS, or persistent footholds. Patch core infrastructure first.

Immediate Actions

Network teams act now:

  • Identify PTX devices running Junos Evolved 25.4
  • Check show version output immediately
  • Apply request pfe anomalies disable tonight
  • Schedule firmware upgrades for maintenance window
  • Deploy firewall filters on external interfaces

Test connectivity after changes. Monitor logs for exploit attempts.

FAQ

Which Juniper devices face CVE-2026-21902?

PTX Series running Junos OS Evolved 25.4 only.

Does the attack need authentication?

No. Fully unauthenticated remote exploit.

What service gets exposed?

On-Box Anomaly detection framework.

How to disable vulnerability temporarily?

Run request pfe anomalies disable.

Where to download Juniper patches?

Juniper support portal for PTX Series firmware.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages