Dive Brief:
- A China-nexus threat actor with apparent in-depth knowledge of Juniper MX devices has compromised the routers using custom backdoors, according to research released Wednesday by Mandiant.
- In mid-2024, the security firm found Juniper OS routers with Tinyshell-based backdoors installed on them. The affected routers were found to be running end-of-life hardware and software, Mandiant researchers said.
- Juniper Networks said the threat activity involved an improper isolation or compartmentalization vulnerability in the kernel of Junos OS. The vulnerability, tracked as CVE-2025-21590, can allow a local attacker with shell access to execute arbitrary code.
Dive Insight:
The threat actor, tracked as UNC 3886, has previously deployed custom backdoors on network edge devices and virtualization machines and has used legitimate credentials to move laterally within a network without being discovered.
“UNC3886 is known to target network technologies which typically do not have as much forensic visibility as other operating systems such as Microsoft Windows,” Austin Larsen, principal threat analyst, Google Threat Intelligence Group, said via email.
There is no known overlap with threat activity linked to Volt Typhoon or Salt Typhoon, which were involved in hacking of U.S. critical infrastructure and telecom firms, respectively.
Mandiant was called in to investigate the threat when suspicious activity was observed within a customer environment. During the probe, Mandiant found six distinct samples of the Tinyshell backdoor located across multiple Juniper MX routers.
Beyond the active and passive backdoors, the threat actor deployed an embedded script that effectively disabled logging mechanisms. Therefore, existing security monitoring systems could not detect the threat activity.
At least one instance of malicious exploitation has been reported, according to the advisory.
Both Mandiant and Juniper Networks recommended that organizations using these routers immediately upgrade their devices and run an integrity checker to confirm their systems are secure. The company has issued new software releases; however, it is not the company’s normal policy to evaluate releases that have reached end-of-life.
While the complete list of affected platforms is still being investigated, customers should restrict shell access only to trusted users, according to Juniper.
“We are committed to the responsible disclosure of security vulnerabilities and actively work with industry partners and government agencies in the security community to counter emerging security threats,” a Juniper spokesperson said.
