cbcvebase.
CVE-2026-21902
published 2026-02-25

CVE-2026-21902: An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
17.71%
96.8th percentile
An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to execute code as root. The On-Box Anomaly detection framework should only be reachable by other internal processes over the internal routing instance, but not over an externally exposed port. With the ability to access and manipulate the service to execute code as root a remote attacker can take complete control of the device. Please note that this service is enabled by default as no specific configuration is required. This issue affects Junos OS Evolved on PTX Series: * 25.4 versions before 25.4R1-S1-EVO, 25.4R2-EVO. This issue does not affect Junos OS Evolved versions before 25.4R1-EVO. This issue does not affect Junos OS.

Affected

3 ranges
VendorProductVersion rangeFixed in
juniperjunos_os
juniperjunos_os_evolved
juniper_networksjunos_os_evolved>= 25.4 < 25.4R1-S1-EVO, 25.4R2-EVO25.4R1-S1-EVO, 25.4R2-EVO

Detection & IOCsextracted from sources · hover to see the quote

port8160
path/config/command/
path/config/dag/
path/config/dag-instance/
path/config/config/commit
commandrequest pfe anomalies disable
snort
alert http $EXTERNAL_NET any -> $HOME_NET 8160 (msg:"ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M1"; flow:established,to_server; http.uri; content:"/config/command/"; startswith; fast_pattern; http.content_type; bsize:16; content:"application/json"; http.request_body; content:"|22|syntax|22 3a|"; content:"|22|type|22 3a|"; content:"|22|RE-SHELL|22 2c|"; within:15; content:"|22|parsing|22 3a|"; content:"|22|outputs|22 3a|"; content:"|22|result|22 3a|"; content:"|7b 22|type|22 3a|"; within:15; content:"|22|str|22 7d|"; within:10; content:"|22|doc|22 3a|"; reference:url,labs.watchtowr.com/sometimes-you-can-just-feel-the-security-in-the-design-junos-os-evolved-cve-2026-21902-rce/; reference:cve,2026-21902; classtype:attempted-admin; sid:2067997; rev:1; metadata:affected_product JunOS, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_03, cve CVE_2026_21902, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2026_03_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET 8160 (msg:"ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M2"; flow:established,to_server; http.uri; content:"/config/dag/"; startswith; fast_pattern; http.content_type; bsize:16; content:"application/json"; http.request_body; content:"|22|start|22 3a|"; content:"|22|edges|22 3a|"; content:"|22|actions|22 3a|"; content:"|22|command|22 3a|"; content:"|22|inputs|22 3a|"; content:"|7b 7d|"; within:10; content:"|22|doc|22 3a|"; reference:url,labs.watchtowr.com/sometimes-you-can-just-feel-the-security-in-the-design-junos-os-evolved-cve-2026-21902-rce/; reference:cve,2026-21902; classtype:attempted-admin; sid:2067998; rev:1;
snort
alert http $EXTERNAL_NET any -> $HOME_NET 8160 (msg:"ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M3"; flow:established,to_server; http.uri; content:"/config/dag-instance/"; startswith; fast_pattern; http.content_type; bsize:16; content:"application/json"; http.request_body; content:"|22|dag|22 3a|"; content:"|22|enabled|22 3a|"; content:"True|2c|"; within:10; content:"|22|platform|22 3a|"; content:"|22|target|22 3a|"; content:"|22|type|22 3a|"; content:"|22|RE|22|"; within:10; content:"|22|schedule|22 3a|"; content:"|22|start|22 3a|"; content:"|22|delay|22 3a|"; content:"0"; within:5; content:"|22|context|22 3a|"; content:"|7b 7d|"; within:10; reference:url,labs.watchtowr.com/sometimes-you-can-just-feel-the-security-in-the-design-junos-os-evolved-cve-2026-21902-rce/; reference:cve,2026-21902; classtype:attempted-admin; sid:2067999; rev:1;
snort
alert http $EXTERNAL_NET any -> $HOME_NET 8160 (msg:"ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M4"; flow:established,to_server; http.uri; bsize:21; content:"/config/config/commit"; startswith; fast_pattern; http.content_type; bsize:16; content:"application/json"; http.content_len; byte_test:0,=,0,0,string,dec; reference:url,labs.watchtowr.com/sometimes-you-can-just-feel-the-security-in-the-design-junos-os-evolved-cve-2026-21902-rce/; reference:cve,2026-21902; classtype:attempted-admin; sid:2068000; rev:1;
  • Monitor for inbound HTTP traffic to port 8160 from external networks; this port should only be reachable by internal processes and any external access is anomalous.
  • Detect exploitation attempts via HTTP POST to /config/command/ with JSON body containing 'RE-SHELL' type field, indicating remote shell command injection (M1 pattern).
  • Detect exploitation attempts via HTTP POST to /config/dag/ with JSON body containing 'edges', 'actions', and 'command' fields (M2 DAG workflow injection pattern).
  • Detect exploitation attempts via HTTP POST to /config/dag-instance/ with JSON body enabling a DAG targeting 'RE' platform type (M3 DAG instance scheduling pattern).
  • Detect the commit step of the exploit chain via HTTP POST to exactly /config/config/commit with an empty JSON body (M4 commit trigger pattern).
  • The service is enabled by default with no configuration required; all Junos OS Evolved 25.4R1-EVO through pre-25.4R1-S1-EVO/25.4R2-EVO on PTX Series should be treated as exposed.
  • ·Only Junos OS Evolved 25.4R1-EVO through pre-25.4R1-S1-EVO / pre-25.4R2-EVO on PTX Series is affected. Versions before 25.4R1-EVO and all standard (non-Evolved) Junos OS are NOT affected.
  • ·Older EoL/EoE releases may also be impacted but Juniper does not assess them; treat any PTX running Evolved 25.4 as vulnerable until patched.
  • ·No exploitation in the wild was confirmed at time of advisory publication; however the service runs as root and requires no authentication, making it a high-priority patch target.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Red
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.