CVE-2026-21902
published 2026-02-25CVE-2026-21902: An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX…
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
17.71%
96.8th percentile
An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to execute code as root.
The On-Box Anomaly detection framework should only be reachable by other internal processes over the internal routing instance, but not over an externally exposed port. With the ability to access and manipulate the service to execute code as root a remote attacker can take complete control of the device.
Please note that this service is enabled by default as no specific configuration is required.
This issue affects Junos OS Evolved on PTX Series:
* 25.4 versions before 25.4R1-S1-EVO, 25.4R2-EVO.
This issue does not affect Junos OS Evolved versions before 25.4R1-EVO.
This issue does not affect Junos OS.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| juniper | junos_os | — | — |
| juniper | junos_os_evolved | — | — |
| juniper_networks | junos_os_evolved | >= 25.4 < 25.4R1-S1-EVO, 25.4R2-EVO | 25.4R1-S1-EVO, 25.4R2-EVO |
Detection & IOCsextracted from sources · hover to see the quote
port8160
path/config/command/
path/config/dag/
path/config/dag-instance/
path/config/config/commit
snort
alert http $EXTERNAL_NET any -> $HOME_NET 8160 (msg:"ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M1"; flow:established,to_server; http.uri; content:"/config/command/"; startswith; fast_pattern; http.content_type; bsize:16; content:"application/json"; http.request_body; content:"|22|syntax|22 3a|"; content:"|22|type|22 3a|"; content:"|22|RE-SHELL|22 2c|"; within:15; content:"|22|parsing|22 3a|"; content:"|22|outputs|22 3a|"; content:"|22|result|22 3a|"; content:"|7b 22|type|22 3a|"; within:15; content:"|22|str|22 7d|"; within:10; content:"|22|doc|22 3a|"; reference:url,labs.watchtowr.com/sometimes-you-can-just-feel-the-security-in-the-design-junos-os-evolved-cve-2026-21902-rce/; reference:cve,2026-21902; classtype:attempted-admin; sid:2067997; rev:1; metadata:affected_product JunOS, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_03, cve CVE_2026_21902, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2026_03_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET 8160 (msg:"ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M2"; flow:established,to_server; http.uri; content:"/config/dag/"; startswith; fast_pattern; http.content_type; bsize:16; content:"application/json"; http.request_body; content:"|22|start|22 3a|"; content:"|22|edges|22 3a|"; content:"|22|actions|22 3a|"; content:"|22|command|22 3a|"; content:"|22|inputs|22 3a|"; content:"|7b 7d|"; within:10; content:"|22|doc|22 3a|"; reference:url,labs.watchtowr.com/sometimes-you-can-just-feel-the-security-in-the-design-junos-os-evolved-cve-2026-21902-rce/; reference:cve,2026-21902; classtype:attempted-admin; sid:2067998; rev:1;
snort
alert http $EXTERNAL_NET any -> $HOME_NET 8160 (msg:"ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M3"; flow:established,to_server; http.uri; content:"/config/dag-instance/"; startswith; fast_pattern; http.content_type; bsize:16; content:"application/json"; http.request_body; content:"|22|dag|22 3a|"; content:"|22|enabled|22 3a|"; content:"True|2c|"; within:10; content:"|22|platform|22 3a|"; content:"|22|target|22 3a|"; content:"|22|type|22 3a|"; content:"|22|RE|22|"; within:10; content:"|22|schedule|22 3a|"; content:"|22|start|22 3a|"; content:"|22|delay|22 3a|"; content:"0"; within:5; content:"|22|context|22 3a|"; content:"|7b 7d|"; within:10; reference:url,labs.watchtowr.com/sometimes-you-can-just-feel-the-security-in-the-design-junos-os-evolved-cve-2026-21902-rce/; reference:cve,2026-21902; classtype:attempted-admin; sid:2067999; rev:1;
snort
alert http $EXTERNAL_NET any -> $HOME_NET 8160 (msg:"ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M4"; flow:established,to_server; http.uri; bsize:21; content:"/config/config/commit"; startswith; fast_pattern; http.content_type; bsize:16; content:"application/json"; http.content_len; byte_test:0,=,0,0,string,dec; reference:url,labs.watchtowr.com/sometimes-you-can-just-feel-the-security-in-the-design-junos-os-evolved-cve-2026-21902-rce/; reference:cve,2026-21902; classtype:attempted-admin; sid:2068000; rev:1;
- →Monitor for inbound HTTP traffic to port 8160 from external networks; this port should only be reachable by internal processes and any external access is anomalous. ↗
- →Detect exploitation attempts via HTTP POST to /config/command/ with JSON body containing 'RE-SHELL' type field, indicating remote shell command injection (M1 pattern).
- →Detect exploitation attempts via HTTP POST to /config/dag/ with JSON body containing 'edges', 'actions', and 'command' fields (M2 DAG workflow injection pattern).
- →Detect exploitation attempts via HTTP POST to /config/dag-instance/ with JSON body enabling a DAG targeting 'RE' platform type (M3 DAG instance scheduling pattern).
- →Detect the commit step of the exploit chain via HTTP POST to exactly /config/config/commit with an empty JSON body (M4 commit trigger pattern).
- →The service is enabled by default with no configuration required; all Junos OS Evolved 25.4R1-EVO through pre-25.4R1-S1-EVO/25.4R2-EVO on PTX Series should be treated as exposed. ↗
- ·Only Junos OS Evolved 25.4R1-EVO through pre-25.4R1-S1-EVO / pre-25.4R2-EVO on PTX Series is affected. Versions before 25.4R1-EVO and all standard (non-Evolved) Junos OS are NOT affected. ↗
- ·Older EoL/EoE releases may also be impacted but Juniper does not assess them; treat any PTX running Evolved 25.4 as vulnerable until patched. ↗
- ·No exploitation in the wild was confirmed at time of advisory publication; however the service runs as root and requires no authentication, making it a high-priority patch target. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Red
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Juniper
CVE-2026-21902: An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved
vendor_juniper·2026-02-25·CVSS 9.8
CVE-2026-21902 [CRITICAL] CWE-732 CVE-2026-21902: An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved
CVE-2026-21902: An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to execute code as root.
The On-Box Anomaly detection framework should only be reachable by other internal processes over the internal routing instance, but not over an externally exposed port. With the ability to access and manipulate the service to execute code as root a remote attacker can take complete control of the device.
Please note that this service is enabled by default as no specific configuration is required.
This issue affects Junos OS Evolved on PTX Series:
* 25.4 versions before 25.4R1-S1-EVO, 25.4R2-EVO.
This issue does not affect Junos OS Ev
GHSA
GHSA-5w57-gjvc-whwc: An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved
ghsa_unreviewed·2026-02-25
CVE-2026-21902 [CRITICAL] CWE-732 GHSA-5w57-gjvc-whwc: An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved
An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to execute code as root.
The On-Box Anomaly detection framework should only be reachable by other internal processes over the internal routing instance, but not over an externally exposed port. With the ability to access and manipulate the service to execute code as root a remote attacker can take complete control of the device.
Please note that this service is enabled by default as no specific configuration is required.
This issue affects Junos OS Evolved on PTX Series:
* 25.4 versions before 25.4R1-S1-EVO, 25.4R2-EVO.
This issue does not affect Junos OS Evolved versions b
VulnCheck
Juniper junos_os_evolved Incorrect Permission Assignment for Critical Resource
vulncheck·2026·CVSS 9.3
CVE-2026-21902 [CRITICAL] Juniper junos_os_evolved Incorrect Permission Assignment for Critical Resource
Juniper junos_os_evolved Incorrect Permission Assignment for Critical Resource
An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to execute code as root.
The On-Box Anomaly detection framework should only be reachable by other internal processes over the internal routing instance, but not over an externally exposed port. With the ability to access and manipulate the service to execute code as root a remote attacker can take complete control of the device.
Please note that this service is enabled by default as no specific configuration is required.
This issue affects Junos OS Evolved on PTX Series:
* 25.4 versions before 25.
Suricata
ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M1
suricata·2026-03-03·CVSS 9.3
CVE-2026-21902 [CRITICAL] ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M1
ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M1
Rule: alert http $EXTERNAL_NET any -> $HOME_NET 8160 (msg:"ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M1"; flow:established,to_server; http.uri; content:"/config/command/"; startswith; fast_pattern; http.content_type; bsize:16; content:"application/json"; http.request_body; content:"|22|syntax|22 3a|"; content:"|22|type|22 3a|"; content:"|22|RE-SHELL|22 2c|"; within:15; content:"|22|parsing|22 3a|"; content:"|22|outputs|22 3a|"; content:"|22|result|22 3a|"; content:"|7b 22|type|22 3a|"; within:15; content:"|22|str|22 7d|"; within:10; content:"|22|doc|22 3a|"; reference:url,labs.watchtowr.com/someti
Suricata
ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M2
suricata·2026-03-03·CVSS 9.3
CVE-2026-21902 [CRITICAL] ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M2
ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET 8160 (msg:"ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M2"; flow:established,to_server; http.uri; content:"/config/dag/"; startswith; fast_pattern; http.content_type; bsize:16; content:"application/json"; http.request_body; content:"|22|start|22 3a|"; content:"|22|edges|22 3a|"; content:"|22|actions|22 3a|"; content:"|22|command|22 3a|"; content:"|22|inputs|22 3a|"; content:"|7b 7d|"; within:10; content:"|22|doc|22 3a|"; reference:url,labs.watchtowr.com/sometimes-you-can-just-feel-the-security-in-the-design-junos-os-evolved-cve-2026-21902-rce/; referen
Suricata
ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M3
suricata·2026-03-03·CVSS 9.3
CVE-2026-21902 [CRITICAL] ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M3
ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M3
Rule: alert http $EXTERNAL_NET any -> $HOME_NET 8160 (msg:"ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M3"; flow:established,to_server; http.uri; content:"/config/dag-instance/"; startswith; fast_pattern; http.content_type; bsize:16; content:"application/json"; http.request_body; content:"|22|dag|22 3a|"; content:"|22|enabled|22 3a|"; content:"True|2c|"; within:10; content:"|22|platform|22 3a|"; content:"|22|target|22 3a|"; content:"|22|type|22 3a|"; content:"|22|RE|22|"; within:10; content:"|22|schedule|22 3a|"; content:"|22|start|22 3a|"; content:"|22|delay|22 3a|"; content:"0"; within:5; content:
Suricata
ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M4
suricata·2026-03-03·CVSS 9.3
CVE-2026-21902 [CRITICAL] ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M4
ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M4
Rule: alert http $EXTERNAL_NET any -> $HOME_NET 8160 (msg:"ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M4"; flow:established,to_server; http.uri; bsize:21; content:"/config/config/commit"; startswith; fast_pattern; http.content_type; bsize:16; content:"application/json"; http.content_len; byte_test:0,=,0,0,string,dec; reference:url,labs.watchtowr.com/sometimes-you-can-just-feel-the-security-in-the-design-junos-os-evolved-cve-2026-21902-rce/; reference:cve,2026-21902; classtype:attempted-admin; sid:2068000; rev:1; metadata:affected_product JunOS, attack_target Networking_Equipment, tls_state plaintex
No public exploits indexed.
Bleepingcomputer
Critical Juniper Networks PTX flaw allows full router takeover
blogs_bleepingcomputer·2026-02-26·CVSS 9.3
[CRITICAL] Critical Juniper Networks PTX flaw allows full router takeover
## Critical Juniper Networks PTX flaw allows full router takeover
## Bill Toulas
A critical vulnerability in the Junos OS Evolved network operating system running on PTX Series routers from Juniper Networks could allow an unauthenticated attacker to execute code remotely with root privileges.
PTX Series routers are high-performance core and peering routers built for high throughput, low latency, and scale. They are commonly used by internet service providers, telecommunication services, and cloud network applications.
The security issue is identified as CVE-2026-21902 and is caused by incorrect permission assignment in the ‘On-Box Anomaly Detection’ framework, which should be exposed to internal processes only over the internal routing interface.
However, the glitch allows accessing t
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
2026-02-25
Published
Exploited in the wild