CVE-2026-21916
Published: 09 April 2026
Summary
CVE-2026-21916 is a high-severity UNIX Symbolic Link (Symlink) Following (CWE-61) vulnerability in Juniper Junos. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching and upgrading of vulnerable Junos OS versions to remediate the symlink following privilege escalation vulnerability as specified in the Juniper advisory.
Ensures receipt and implementation of security advisories like JSA107807 to identify and address the affected Junos OS versions before exploitation.
Restricts low-privilege local users from executing the vulnerable 'file link' CLI operation, reducing the attack surface for privilege escalation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Symlink following vulnerability in local CLI directly enables local authenticated privilege escalation to root.
NVD Description
A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Juniper Networks Junos OS allows a local, authenticated attacker with low privileges to escalate their privileges to root which will lead to a complete compromise of the system. When…
more
after a user has performed a specific 'file link ...' CLI operation, another user commits (unrelated configuration changes), the first user can login as root. This issue affects Junos OS: * all versions before 23.2R2-S7, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions before 25.2R2. This issue does not affect versions 25.4R1 or later.
Deeper analysisAI
CVE-2026-21916 is a UNIX Symbolic Link (Symlink) Following vulnerability (CWE-61) in the CLI of Juniper Networks Junos OS, with a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). It affects Junos OS all versions before 23.2R2-S7, 23.4 versions before 23.4R2-S6, 24.2 versions before 24.2R2-S3, 24.4 versions before 24.4R2-S2, and 25.2 versions before 25.2R2. Versions 25.4R1 and later are not affected.
A local, authenticated attacker with low privileges can exploit this vulnerability to escalate privileges to root, resulting in complete system compromise. The attack scenario requires one user to perform a specific 'file link ...' CLI operation, after which another user commits unrelated configuration changes; the first user can then log in as root.
The Juniper security advisory at https://kb.juniper.net/JSA107807 details mitigation, which involves upgrading to a supported, patched release of Junos OS as specified in the affected versions.
Details
- CWE(s)