Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
CriticalPublic exploit

Unauthenticated Root RCE in Juniper Junos OS Evolved PTX On-Box Anomaly Detection

IdentifiersCVE-2026-21902CWE-732· Incorrect Permission Assignment…

CVE-2026-21902 is an incorrect permission assignment vulnerability in the On-Box Anomaly Detection framework of Juniper Networks Junos OS Evolved on PTX Series devices. The framework is intended to be reachable only by internal processes over the internal routing instance, but on affected releases it is exposed via an externally reachable port. The service is enabled by default, runs as root, and requires no specific configuration to be active. Public technical analysis indicates the exposed framework provides a Python-based REST API for defining commands, DAGs, handlers, and DAG instances; attacker-controlled command syntax can be committed and later executed by the scheduler, resulting in arbitrary command execution as root. Juniper states the issue affects Junos OS Evolved on PTX Series 25.4 versions before 25.4R1-S1-EVO and 25.4R2-EVO. Versions before 25.4R1-EVO are not affected, and standard Junos OS is not affected.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated, network-based attacker to execute arbitrary code as root on an affected PTX Series router. This can result in complete device compromise, including full administrative control, modification of routing behavior, interception or rerouting of traffic, access to sensitive configuration and operational data, service disruption, and use of the router as a persistence or lateral movement point within provider, telecom, or data center environments.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict access to the exposed On-Box Anomaly Detection service using firewall filters or ACLs so it is reachable only from trusted internal paths, consistent with its intended internal-only design. Juniper also provides an operational mitigation to disable the affected service with the CLI command "request pfe anomalies disable." Additionally, block external reachability to the service port and review logs/network telemetry for unexpected access attempts to the framework.

Remediation

Patch, then assume compromise.

Upgrade affected Junos OS Evolved PTX Series devices to a fixed release. Juniper states the issue is resolved in 25.4R1-S1-EVO, 25.4R2-EVO, and later fixed releases referenced by the vendor advisory. Standard Junos OS is not affected. Validate deployed PTX Series systems are not running vulnerable 25.4 Junos OS Evolved builds prior to the fixed versions and apply vendor-recommended updates immediately.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
watchTowr-vs-JunosEvolved-CVE-2026-21902MaturityPoCVerified exploit

Repository contains a single Python script plus a README. The script (watchTowr-vs-JunosEvolved-CVE-2026-21902.py) is an unauthenticated network RCE artifact generator for Juniper Junos OS Evolved PTX devices vulnerable to CVE-2026-21902. It targets an HTTP service on the device (default port 8160) and performs a sequence of API calls: (1) cleanup via DELETE of prior objects (command/DAG/DAG-instance), (2) POST /config/command/<name> to create a command of type `RE-SHELL` with attacker-controlled `syntax` (the shell command), (3) POST /config/dag/<name> to create a DAG that runs that command, (4) POST /config/dag-instance/<name> to enable and schedule immediate execution (start=now, delay=0) for a specified platform string, and (5) POST /config/commit to apply changes. It then waits ~30 seconds for the scheduled job to run. Despite being described as a detection script, it actively executes an arbitrary command on the target to validate exploitability.

watchtowrlabsDisclosed Feb 28, 2026pythonnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Juniper NetworksJunos Os Evolvedoperating_system
Juniper NetworksJunos Os Evolved (Ptx Series)operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

75 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

75 SOURCESView more in app
bank info securityNews
Apr 8, 2026
Juniper PTX Routers at Risk, Critical Takeover Flaw Disclosed

A critical improper permission assignment vulnerability in Junos OS Evolved's On-Box Anomaly Detection framework that can allow unauthenticated attackers to gain root-level code execution and full control of affected Juniper PTX routers.

Read more
ctoatncsc substackNews
Mar 7, 2026
CTO at NCSC Summary: week ending March 8th

An incorrect permission assignment vulnerability affecting Juniper Junos OS Evolved on PTX Series devices (as described in the content).

Read more
risky biz rssNews
Mar 6, 2026
Iranian hackers are scanning for security cameras to aid missile strike

An unauthenticated remote code execution vulnerability in Juniper Junos OS affecting Juniper PTX Series devices.

Read more
govinfosecurityNews
Mar 3, 2026
Juniper PTX Routers at Risk, Critical Takeover Flaw Disclosed

A critical privilege escalation / remote takeover vulnerability in Juniper Junos OS Evolved (PTX Series) caused by improper permission assignment in the On-Box Anomaly Detection framework, potentially enabling unauthenticated root-level code execution and full device control.

Read more
+11 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity59

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-21902
NVD
nvd.nist.gov/vuln/detail/CVE-2026-21902
MITRE CWE · CWE-732
Incorrect Permission Assignment for Critical…
Vendor Advisory
kb.juniper.net/JSA107128
Vendor Advisory
supportportal.juniper.net/JSA107128
Product
github.com/watchtowrlabs/watchTowr-vs-JunosEvolved-CVE-2026-21902/blob/main/watchTowr-vs-JunosEvolved-CVE-2026-21902.py