EUVD-2026-21088
GHSA-9hcr-jp7m-44jv
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:X
Lifecycle Timeline
3Description
An Improper Following of a Certificate's Chain of Trust vulnerability in J-Web of Juniper Networks Junos OS on SRX Series allows a PITM to intercept the communication of the device and get access to confidential information and potentially modify it. When an SRX device is provisioned to connect to Security Director (SD) cloud, it doesn't perform sufficient verification of the received server certificate. This allows a PITM to intercept the communication between the SRX and SD cloud and access credentials and other sensitive information. This issue affects Junos OS: * all versions before 22.4R3-S9, * 23.2 versions before 23.2R2-S6, * 23.4 versions before 23.4R2-S7, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions before 25.2R1-S2, 25.2R2.
Analysis
Certificate chain validation bypass in Juniper Junos OS J-Web on SRX Series enables person-in-the-middle attackers to intercept Security Director cloud communications, exposing credentials and sensitive data. All SRX devices connecting to SD cloud fail to properly verify server certificates, allowing interception of authentication material and configuration data. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all SRX Series devices and verify current Junos OS versions against affected ranges (pre-22.4R3-S9, pre-23.2R2-S6, pre-23.4R2-S7, pre-24.2R2-S3, pre-24.4R2-S2, pre-25.2R1-S2/25.2R2). Within 7 days: Prioritize patching of SRX devices actively connected to Security Director cloud; apply vendor-released patches: 22.4R3-S9, 23.2R2-S6, 23.4R2-S7, 24.2R2-S3, 24.4R2-S2, or 25.2R1-S2/25.2R2 depending on current branch. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today