CVE-2026-21902: Pre-Auth RCE in Juniper Junos OS Evolved on PTX Routers
A critical pre-authentication remote code execution vulnerability in Juniper's Junos OS Evolved, CVE-2026-21902, allows unauthenticated attackers to take full control of PTX Series routers.
Juniper Networks has disclosed a critical vulnerability in its Junos OS Evolved platform, CVE-2026-21902, which scores 9.8 on the CVSS scale and affects PTX Series routers. The flaw resides in the On-Box Anomaly Detection framework, a service that listens on TCP port 8160 and is enabled by default. According to Juniper's advisory, the service was intended to be reachable only over internal routing instances, but a misconfiguration binds it to 0.0.0.0, exposing it to any network attacker.
Researchers at watchTowr Labs analyzed the vulnerability and confirmed that the service is a Python-based REST API running as root. The API allows users to define and execute commands—essentially shell commands—on the device. By sending crafted requests to the exposed port, an unauthenticated attacker can execute arbitrary code with root privileges, gaining complete control of the router.
The affected versions are Junos OS Evolved 25.4 before 25.4R1-S1-EVO and 25.4R2-EVO. Versions prior to 25.4R1-EVO are not vulnerable. Juniper has released patches in 25.4R1-S1-EVO and 25.4R2-EVO, and administrators are urged to apply them immediately. The vulnerability is particularly dangerous because it requires no authentication and no specific configuration—the service is active out of the box.
PTX Series routers are high-performance packet transport devices used in service provider backbones, internet exchange points, and hyperscale data centers. A compromise of such devices could allow attackers to intercept, redirect, or disrupt massive volumes of traffic, making this a critical threat to core internet infrastructure.
watchTowr's analysis revealed that the On-Box Anomaly Detection framework is designed to automate monitoring and diagnostics, but its implementation exposes a direct command execution interface. The researchers noted that the service's code explicitly binds to an empty address, which in Python defaults to 0.0.0.0, confirming the external exposure.
CISA has not yet added CVE-2026-21902 to its Known Exploited Vulnerabilities catalog, but given the severity and the ease of exploitation, in-the-wild activity is likely. Network administrators should immediately restrict access to port 8160 via firewall rules and apply the available patches.
This vulnerability underscores the risks of exposing internal management interfaces to the network, especially when they provide root-level command execution. As routers become more software-defined and feature-rich, the attack surface expands, and misconfigurations like this can have catastrophic consequences.