CVE-2026-21902

CVE-2026-21902 is a critical-severity vulnerability in Juniper Junos Os Evolved with a CVSS 3.x base score of 9.8. Its EPSS exploit-prediction score of 18% places it in the 97th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-732.

Key facts

Description

An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to execute code as root. The On-Box Anomaly detection framework should only be reachable by other internal processes over the internal routing instance, but not over an externally exposed port. With the ability to access and manipulate the service to execute code as root a remote attacker can take complete control of the device. Please note that this service is enabled by default as no specific configuration is required. This issue affects Junos OS Evolved on PTX Series: * 25.4 versions before 25.4R1-S1-EVO, 25.4R2-EVO. This issue does not affect Junos OS Evolved versions before 25.4R1-EVO. This issue does not affect Junos OS.

Frequently asked questions

What is CVE-2026-21902?
An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to execute code as root. The On-Box Anomaly detection framework should only be reachable by other internal processes over the internal routing instance, but not over an externally exposed port. With the ability to access and manipulate the service to execute code as root a remote attacker can take complete control of the device. Please note that this service is enabled by default as no specific configuration is required. This issue affects Junos OS Evolved on PTX Series: * 25.4 versions before 25.4R1-S1-EVO, 25.4R2-EVO. This issue does not affect Junos OS Evolved versions before 25.4R1-EVO. This issue does not affect Junos OS.
How severe is CVE-2026-21902?
CVE-2026-21902 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2026-21902 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 18% (97th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-21902?
CVE-2026-21902 affects Juniper Junos Os Evolved. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-21902?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
Does CVE-2026-21902 have an EU (EUVD) identifier?
Yes. CVE-2026-21902 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-8693.
When was CVE-2026-21902 published?
CVE-2026-21902 was published on 2026-02-25 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Juniper Junos Os Evolved

All CVEs affecting Juniper Junos Os Evolved →

Other CWE-732 (Incorrect Permission Assignment for Critical Resource) vulnerabilities

Browse all CWE-732 (Incorrect Permission Assignment for Critical Resource) vulnerabilities →