A critical vulnerability in the Junos OS Evolved network operating system running on PTX Series routers from Juniper Networks could allow an unauthenticated attacker to execute code remotely with root privileges.
PTX Series routers are high-performance core and peering routers built for high throughput, low latency, and scale. They are commonly used by internet service providers, telecommunication services, and cloud network applications.
The security issue is identified as CVE-2026-21902 and is caused by incorrect permission assignment in the ‘On-Box Anomaly Detection’ framework, which should be exposed to internal processes only over the internal routing interface.
However, the glitch allows accessing the framework over an externally exposed port, Juniper Networks explains in a security advisory.
Because the service runs as root and is enabled by default, successful exploitation would allow an attacker who is already on the network to take full control of the device without authentication.
The issue affects Junos OS Evolved versions before 25.4R1-S1-EVO and 25.4R2-EVO, on PTX Series routers. Older versions may also be impacted, but the vendor does not assess releases that have reached the end-of-engineering or end-of-life (EoL) phase.
Versions before 25.4R1-EVO, and standard (non-Evolved) Junos OS versions are not impacted by CVE-2026-21902. Juniper Networks has delivered fixes in versions 25.4R1-S1-EVO, 25.4R2-EVO, and 26.2R1-EVO of the product.
Juniper’s Security Incident Response Team (SIRT) states that it was not aware of malicious exploitation of the vulnerability at the time of publishing the security bulletin.
If immediate patching is not possible, the vendor’s recommendation is to restrict access to the vulnerable endpoints to trusted networks only using firewall filters or Access Control Lists (ACLs). Alternatively, administrators may disable the vulnerable service entirely using:
'request pfe anomalies disable'
Juniper Networks products are typically an attractive target for advanced hackers as the network equipment is used by service providers requiring high bandwidth, such as cloud data centers and large enterprises.
In March 2025, it was revealed that Chinese cyber-espionage actors were deploying custom backdoors on EoL Junos OS MX routers to drop a set of ‘TinyShell’ backdoor variants.
In January 2025, a malware campaign dubbed ‘J-magic’ targeted Juniper VPN gateways used in the semiconductor, energy, manufacturing, and IT sectors, deploying network-sniffing malware that activated upon receiving a “magic packet.”
In December 2024, Juniper Networks Smart routers became targets of Mirai botnet campaigns, getting enlisted in distributed denial of service (DDoS) swarms.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
