Critical Flaw in Juniper PTX Routers: Unauthenticated Root Access Discovered

Juniper Networks has issued an urgent out-of-cycle security bulletin warning of a critical vulnerability affecting its PTX Series routers running Junos OS Evolved. The vulnerability, tracked as CVE-2026-21902, boasts a severe CVSS score of 9.8 and allows an unauthenticated, network-based attacker to execute malicious code as root.

The flaw originates from an “Incorrect Permission Assignment for Critical Resource” within the On-Box Anomaly detection framework of the operating system. Under normal circumstances, this framework is designed strictly for internal communication. As Juniper’s bulletin explicitly states, “The On-Box Anomaly detection framework should only be reachable by other internal processes over the internal routing instance, but not over an externally exposed port.”

Unfortunately, this accidental external exposure creates a massive security gap. By reaching the exposed port, threat actors can bypass standard security checkpoints entirely.

The impact of this vulnerability cannot be overstated. According to the advisory, “with the ability to access and manipulate the service to execute code as root a remote attacker can take complete control of the device.”

Complicating matters for network defenders is the fact that this vulnerable service requires zero setup from the user to be active. Juniper notes, “Please note that this service is enabled by default as no specific configuration is required.”

Currently, the Juniper Security Incident Response Team (SIRT) reports that they are “not aware of any malicious exploitation of this vulnerability.” However, given the 9.8 severity score and the ease of network-based exploitation, administrators should act quickly.

Affected Software:

• The issue impacts Junos OS Evolved on PTX Series devices running 25.4 versions before 25.4R1-S1-EVO and 25.4R2-EVO.

Unaffected Software:

• The vulnerability does not affect Junos OS Evolved versions prior to 25.4R1-EVO.
• Standard Junos OS is also not affected.

To definitively secure your hardware, Juniper has updated its software. Administrators should immediately upgrade to version 25.4R1-S1-EVO, or the future releases 25.4R2-EVO and 26.2R1-EVO when available.

For organizations unable to patch immediately, Juniper has provided two effective workarounds

1. Network Filtering: “To reduce the risk of exploitation of this issue, use access lists or firewall filters to limit access to only trusted networks and hosts.” Juniper emphasizes the need to “ensure such filters only permit explicitly required connections and block all others.”
2. Disable the Service: You can turn off the vulnerable framework directly by running the command: request pfe anomalies disable.