Juniper Networks has issued an out-of-cycle critical security bulletin addressing a severe vulnerability affecting its PTX Series routers running Junos OS Evolved.
The flaw allows an unauthenticated, network-based attacker to execute malicious code with root privileges, potentially leading to complete device takeover.
This critical security issue underscores the importance of securing core network infrastructure against emerging threats, particularly those that bypass authentication mechanisms and allow high-level system access.
PTX Series Vulnerability
Tracked as CVE-2026-21902, the vulnerability stems from an incorrect permission assignment within the On-Box Anomaly detection framework of Junos OS Evolved.
This framework is designed to identify and flag unusual network behaviour, but inadvertently exposes a critical attack surface.
The On-Box Anomaly detection framework should strictly be accessible only to internal processes operating over the internal routing instance.
However, due to the flaw, it is reachable over an externally exposed port. Since this service is enabled by default and requires no specific configuration, attackers can exploit it without prior access or credentials.
By manipulating the exposed service, a remote attacker can execute arbitrary code as the “root” user, granting them unrestricted control over the affected PTX series router.
This level of access could allow threat actors to intercept traffic, modify configurations, or launch further attacks within the network.
The vulnerability exclusively affects specific versions of Junos OS Evolved running on PTX Series platforms.
Juniper Networks has clarified that the issue does not impact standard Junos OS or earlier versions of Junos OS Evolved before the 25.4 release.
| Detail | Information |
|---|---|
| CVE ID | CVE-2026-21902 |
| Severity | Critical |
| CVSS v3.1 Score | 9.8 |
| CVSS v4.0 Score | 9.3 |
| Affected Product | Junos OS Evolved (PTX Series) |
| Affected Versions | 25.4 versions before 25.4R1-S1-EVO, 25.4R2-EVO |
| Unaffected Versions | Junos OS Evolved before 25.4R1-EVO, Standard Junos OS |
| Attack Vector | Network (Remote) |
| Authentication | None Required |
| Impact | Code Execution as Root (Full Takeover) |
Mitigation and Remediation Strategies
Juniper Networks discovered this vulnerability during internal security testing, and there is currently no evidence of malicious exploitation in the wild.
However, given its critical severity and ease of exploitation, immediate action is necessary.
To resolve the issue, administrators must update their PTX Series routers to a patched version of Junos OS Evolved.
The vulnerability is fixed in releases 25.4R1-S1-EVO, 25.4R2-EVO, 26.2R1-EVO, and all subsequent versions.
For organizations unable to apply the software update immediately, Juniper Networks provides effective workarounds to mitigate the risk.
Network administrators can restrict access to the affected service by implementing strict access control lists (ACLs) or firewall filters.
These filters should be configured to permit only explicitly trusted networks and hosts while blocking all other connections.
Alternatively, administrators can completely disable the vulnerable service by executing the command request pfe anomalies disable via the command-line interface.
Disabling the service removes the attack vector entirely, providing a temporary safeguard until the permanent patch can be deployed
