CVE-2026-33778
Published: 09 April 2026
Summary
CVE-2026-33778 is a high-severity Improper Validation of Syntactic Correctness of Input (CWE-1286) vulnerability in Juniper Junos. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates proper validation of incoming ISAKMP packets to prevent crashes in the IPsec library's kmd/iked processes from malformed input.
Provides denial-of-service protections to mitigate repeated crashes and sustained inability to establish new IPsec security associations.
Ensures timely flaw remediation through patching vulnerable Junos OS versions to address the input validation vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote unauthenticated exploitation of public-facing IPsec/VPN service (T1190) to crash processes and deny availability via application exploitation (T1499.004).
NVD Description
An Improper Validation of Syntactic Correctness of Input vulnerability in the IPsec library used by kmd and iked of Juniper Networks Junos OS on SRX Series and MX Series allows an unauthenticated, network-based attacker to cause a complete Denial-of-Service (DoS).…
more
If an affected device receives a specifically malformed first ISAKMP packet from the initiator, the kmd/iked process will crash and restart, which momentarily prevents new security associations (SAs) for from being established. Repeated exploitation of this vulnerability causes a complete inability to establish new VPN connections. This issue affects Junos OS on SRX Series and MX Series: * all versions before 22.4R3-S9, * 23.2 version before 23.2R2-S6, * 23.4 version before 23.4R2-S7, * 24.2 versions before 24.2R2-S4, * 24.4 versions before 24.4R2-S3, * 25.2 versions before 25.2R1-S2, 25.2R2.
Deeper analysisAI
CVE-2026-33778 is an Improper Validation of Syntactic Correctness of Input vulnerability (CWE-1286) in the IPsec library used by the kmd and iked processes within Juniper Networks Junos OS on SRX Series and MX Series devices. It affects all versions prior to 22.4R3-S9, 23.2 versions before 23.2R2-S6, 23.4 versions before 23.4R2-S7, 24.2 versions before 24.2R2-S4, 24.4 versions before 24.4R2-S3, and 25.2 versions before 25.2R1-S2 or 25.2R2. The issue, published on 2026-04-09, carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption without requiring authentication or user interaction.
An unauthenticated, network-based attacker can exploit this vulnerability by sending a specifically malformed first ISAKMP packet to an affected device acting as a VPN responder. This triggers a crash and restart of the kmd or iked process, temporarily preventing the establishment of new IPsec security associations (SAs). Repeated exploitation sustains the denial-of-service condition, rendering the device unable to form new VPN connections and potentially disrupting ongoing network security operations.
Juniper's security advisory at https://kb.juniper.net/JSA107868 details mitigation through upgrading to patched Junos OS releases beyond the listed vulnerable versions, such as 22.4R3-S9 and later where applicable.
Details
- CWE(s)