A critical vulnerability in Junos OS Evolved on PTX Series routers could allow an unauthenticated network attacker to execute code as root, a security advisory from Juniper Networks said.
KEY FACTS
- Incident CVE-2026-21902 allows unauthenticated remote code execution as root
- Affected Junos OS Evolved on PTX Series routers before 25.4R1-S1-EVO and 25.4R2-EVO
- Impact Vulnerable service runs as root and is enabled by default allowing full device takeover
- Mitigation Fixes released and temporary workarounds include access restrictions or disabling the service
Incorrect permission assignment in the “On-Box Anomaly Detection” framework exposes the service over an externally reachable port that should be internal only. The service runs as root and is enabled by default so a successful network exploit grants full control of the router.
CVE-2026-21902 tracks the issue. The flaw affects certain Junos OS Evolved releases on PTX Series routers earlier than 25.4R1-S1-EVO and 25.4R2-EVO. Fixes are available in 25.4R1-S1-EVO, 25.4R2-EVO and 26.2R1-EVO.
Workarounds include restricting access to the vulnerable endpoints to trusted networks with firewall filters or access control lists. Administrators may also disable the vulnerable service with the command ‘request pfe anomalies disable’ if patching cannot be done immediately.
At the time of publication there was no evidence of malicious exploitation. PTX Series routers are used by service providers and cloud operators and are therefore high value targets for attackers. Previous campaigns have targeted similar network equipment.
WHY IT MATTERS
Successful exploitation could give attackers control of core routing infrastructure, exposing traffic to interception or disruption. Operators should apply available fixes or implement the listed mitigations to reduce exposure.