A critical vulnerability in Junos OS Evolved on Juniper Networks PTX Series routers could allow attackers to gain root access without authentication.
A critical vulnerability in the Junos OS Evolved network operating system of Juniper Networks PTX routers allows attackers to execute remote code as root.
Incorrect access permissions
The vulnerability, CVE-2026-21902, is located in the ‘On-Box Anomaly Detection’ framework of Junos OS Evolved. This service should only be accessible internally, but due to incorrectly assigned permissions, it is reachable via an externally accessible port, Juniper Networks writes in a security advisory. Because the framework is active by default and runs with root privileges, an attacker already within the network can gain full control over the device without logging in.
Temporary mitigation possible
The vulnerability affects PTX Series routers running Junos OS Evolved versions prior to 25.4R1-S1-EVO and 25.4R2-EVO. Other versions of Junos OS are not vulnerable. Patches are available in 25.4R1-S1-EVO, 25.4R2-EVO, and 26.2R1-EVO. Juniper’s SIRT reports that no active exploitation was known at the time of publication.
If patching is not possible, Juniper advises restricting access to the vulnerable endpoint via firewall filters or ACLs. The service can also be completely disabled using the command:
request pfe anomalies disable
Attractive target
PTX routers are frequently used by service providers, telecom operators, and cloud environments with high bandwidth requirements. Juniper devices have been popular targets for advanced attacks in recent years, used to gain network access by serving as backdoors.