CVE-2026-21902
Published: 25 February 2026
Summary
CVE-2026-21902 is a critical-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Juniper Junos Os Evolved. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to critical resources, directly countering the incorrect permission assignment that exposes the On-Box Anomaly detection framework to unauthenticated attackers.
Monitors and controls communications at external boundaries, preventing network-based exploitation of the service incorrectly exposed on externally facing ports.
Requires identification, reporting, and correction of system flaws like this permission assignment vulnerability through timely patching to fixed Junos OS Evolved releases.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-21902 is an unauthenticated remote code execution vulnerability in a public-facing service (On-Box Anomaly detection framework exposed on external port), directly enabling exploitation of public-facing applications.
NVD Description
An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to execute code as root. The On-Box Anomaly detection framework should only…
more
be reachable by other internal processes over the internal routing instance, but not over an externally exposed port. With the ability to access and manipulate the service to execute code as root a remote attacker can take complete control of the device. Please note that this service is enabled by default as no specific configuration is required. This issue affects Junos OS Evolved on PTX Series: * 25.4 versions before 25.4R1-S1-EVO, 25.4R2-EVO. This issue does not affect Junos OS Evolved versions before 25.4R1-EVO. This issue does not affect Junos OS.
Deeper analysisAI
CVE-2026-21902 is an Incorrect Permission Assignment for Critical Resource vulnerability (CWE-732) in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series routers. Published on 2026-02-25, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw affects Junos OS Evolved 25.4 versions prior to 25.4R1-S1-EVO and 25.4R2-EVO; it does not impact versions before 25.4R1-EVO or standard Junos OS.
An unauthenticated, network-based attacker can exploit this vulnerability by accessing the On-Box Anomaly detection framework, which is enabled by default with no configuration required and incorrectly exposed on an externally facing port instead of being limited to internal processes over the internal routing instance. Successful exploitation allows the attacker to manipulate the service and execute arbitrary code as root, resulting in complete control of the device.
Juniper's security advisories JSA107128 and support portal documentation at https://kb.juniper.net/JSA107128 and https://supportportal.juniper.net/JSA107128 outline mitigation steps, including upgrading to patched releases such as 25.4R1-S1-EVO or 25.4R2-EVO. A proof-of-concept exploit script is publicly available on GitHub at https://github.com/watchtowrlabs/watchTowr-vs-JunosEvolved-CVE-2026-21902/blob/main/watchTowr-vs-JunosEvolved-CVE-2026-21902.py.
Details
- CWE(s)