CyberLeveling Logo
CVE-2026-21902: Root Code Execution Risk in Junos OS Evolved

CVE-2026-21902 Detail: Root Code Execution Risk in Junos OS Evolved (PTX Series)

February 28, 2026

A newly published vulnerability, CVE-2026-21902, affects certain versions of Juniper’s carrier-grade routing platform and carries a CVSS 4.0 base score of 9.3 (Critical). While it is currently marked as “Awaiting Analysis” in NVD, the vendor-supplied advisory already outlines a serious security concern.

Let’s break down what’s happening, why it matters, and what operators should do next.

Affected Platform

The issue impacts:

  • Junos OS Evolved on PTX Series routers

Affected versions:

  • 25.4 before 25.4R1-S1-EVO
  • 25.4R2-EVO

Not affected:

  • Junos OS Evolved versions before 25.4R1-EVO
  • Traditional Junos OS (non-Evolved)

This distinction is important. The vulnerability exists specifically in the Evolved architecture on PTX hardware, not in the classic Junos OS codebase.

What’s the Core Problem?

Incorrect Permission Assignment for Critical Resource

In simple terms, a sensitive internal service was exposed in a way it should never have been.

The vulnerable component is the On-Box Anomaly Detection framework. This service is designed to be accessible only by internal processes via an internal routing instance. It was never meant to listen on an externally reachable port.

However, due to improper permission controls:

  • The service becomes reachable over the network
  • No authentication is required
  • An attacker can interact with it remotely

Because this service runs with elevated privileges, exploitation allows remote code execution as root. That means full device takeover.

Why This Is Critical

The CNA (Juniper Networks) assigned the vulnerability a CVSS 4.0 score of 9.3 (Critical) with the following characteristics:

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Impact: High (Confidentiality, Integrity, Availability)

An attacker on the network can compromise the router without credentials, without tricking a user, and without needing special conditions. On a backbone or edge routing device like a PTX, that’s a serious scenario. Compromise could allow:

  • Traffic interception
  • Route manipulation
  • Service disruption
  • Persistence at infrastructure level

Operational Risk Context

PTX Series routers are typically deployed in:

  • ISP core networks
  • High-performance data centers
  • Peering points
  • Large enterprise WAN backbones

A compromise at this level is not just about one device. It can affect entire routing domains and upstream/downstream traffic paths. Infrastructure-level vulnerabilities are particularly dangerous because they sit below most monitoring layers.

What Should Operators Do?

If you're running Junos OS Evolved 25.4 on PTX hardware:

  • Verify your exact version
  • Upgrade to:
    • 25.4R1-S1-EVO or later
    • 25.4R2-EVO (fixed build)
  • If immediate patching is not possible:
    • Restrict management plane exposure
    • Ensure no unintended external access to internal routing instances
    • Review firewall filters and control-plane policing
    • Increase monitoring of unexpected service listeners

Final Thoughts

CVE-2026-21902 is a classic example of how internal trust boundaries can quietly become external attack surfaces. A service meant for internal communication ended up reachable from the network, and because it runs as root, the blast radius is total.