Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:Amber
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:Amber
Lifecycle Timeline
7DescriptionCVE.org
An OS Command Injection vulnerability in the CLI processing of Juniper Networks Junos OS and Junos OS Evolved allows a local, high-privileged attacker executing specific, crafted CLI commands to inject arbitrary shell commands as root, leading to a complete compromise of the system.
Certain 'set system' commands, when executed with crafted arguments, are not properly sanitized, allowing for arbitrary shell injection. These shell commands are executed as root, potentially allowing for complete control of the vulnerable system. This issue affects:
Junos OS:
- all versions before 22.4R3-S8,
- from 23.2 before 23.2R2-S5,
- from 23.4 before 23.4R2-S7,
- from 24.2 before 24.2R2-S2,
- from 24.4 before 24.4R2,
- from 25.2 before 25.2R2;
Junos OS Evolved:
- all versions before 22.4R3-S8-EVO,
- from 23.2 before 23.2R2-S5-EVO,
- from 23.4 before 23.4R2-S7-EVO,
- from 24.2 before 24.2R2-S2-EVO,
- from 24.4 before 24.4R2-EVO,
- from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO.
AnalysisAI
Command injection in Juniper Networks Junos OS and Junos OS Evolved CLI processing allows high-privileged local attackers to execute arbitrary shell commands as root through crafted 'set system' arguments, enabling complete system compromise. Affects all versions before multiple fixed releases across both operating systems. Authentication required (high-privileged local access). No public exploit identified at time of analysis.
Technical ContextAI
Root cause: inadequate input sanitization in CLI command parser for 'set system' family commands (CWE-78). Crafted arguments bypass validation, injecting shell metacharacters that execute as root-level processes. Affects both Junos OS and Junos OS Evolved CLI frameworks, indicating shared command processing architecture vulnerability.
RemediationAI
Vendor-released patches: Upgrade Junos OS to 22.4R3-S8, 23.2R2-S5, 23.4R2-S7, 24.2R2-S2, 24.4R2, or 25.2R2 depending on deployment branch. For Junos OS Evolved, upgrade to 22.4R3-S8-EVO, 23.2R2-S5-EVO, 23.4R2-S7-EVO, 24.2R2-S2-EVO, 24.4R2-EVO, 25.2R1-S1-EVO, or 25.2R2-EVO. Workaround: Restrict CLI access to trusted administrators only, implement role-based access controls limiting 'set system' command execution, and audit command usage through logging. Review privilege separation policies to minimize accounts with configuration rights. Full technical details and upgrade guidance: https://kb.juniper.net/JSA107875
Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r
A security vulnerability in An Improper (CVSS 6.7) that allows a local attacker with high privileges. Risk factors: acti
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series all
jsdm/ajax/port.php in J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1 before 12.1R5, 12.2 before 12.2R3,
An authentication bypass vulnerability in Juniper Networks Junos Space Network Management Platform may allow a remote un
Certain Secure Access SA Series SSL VPN products (originally developed by Juniper Networks but now sold and supported by
Juniper Junos 11.4 before R11, 12.1 before R9, 12.1X44 before D30, 12.1X45 before D20, 12.1X46 before D15, 12.1X47 befor
NFX Series devices using Juniper Networks Junos OS are susceptible to a local command execution vulnerability thereby al
NFX Series devices using Juniper Networks Junos OS are susceptible to a local code execution vulnerability thereby allow
Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffe
An Out-of-Bounds Write vulnerability in the H.323 ALG of Juniper Networks Junos OS allows an unauthenticated, network-ba
On QFX10000 Series devices using Juniper Networks Junos OS when configured as transit IP/MPLS penultimate hop popping (P
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21207
GHSA-j4rr-c2v3-296r