Skip to main content

Junos OS MX Series CVE-2026-57031

| EUVDEUVD-2026-42721 MEDIUM
Improper Check for Unusual or Exceptional Conditions (CWE-754)
2026-07-09 juniper GHSA-7v7x-35fg-5xc8
5.3
CVSS 4.0 · Vendor: juniper
Share

Severity by source

Vendor (juniper) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:X
vuln.today AI
4.7 MEDIUM

Adjacent subscriber required (AV:A); bypass affects downstream policy integrity only (S:C/I:L); no confidentiality, direct integrity, or availability impact on the router itself.

3.1 AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (juniper).

CVSS VectorVendor: juniper

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 09, 2026 - 23:02 EUVD
Analysis Generated
Jul 09, 2026 - 22:26 vuln.today
CVSS changed
Jul 09, 2026 - 22:22 NVD
4.7 (MEDIUM) 5.3 (MEDIUM)

DescriptionCVE.org

An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on MX Series allows adjacent subscribers to bypass configured firewall filters.

On MX Series devices with MPC10/11, LC4800/9600, and MX304 with subscribers configured on static interfaces, ingress firewall filters are not enforced, so that neither protocol level nor upstream bandwidth limitation are in effect.

This issue affects Junos OS on MX with MPC10/11, LC4800/9600/4802, and MX304:

  • 23.2 versions from 23.2R2-S1 before 23.2R2-S7,
  • 23.4 versions from 23.4R2 before 23.4R2-S7,
  • 24.2 versions before 24.2R2-S3,
  • 24.4 versions before 24.4R2-S2,
  • 25.2 versions before 25.2R2.

AnalysisAI

Ingress firewall filter bypass in Juniper Networks Junos OS on MX Series hardware (MPC10/11, LC4800/9600/4802, MX304) allows adjacent subscribers on static interfaces to evade configured protocol-level access controls and upstream bandwidth limitations. The Packet Forwarding Engine (PFE) fails to enforce ingress filters for these subscriber configurations, meaning neither protocol restrictions nor rate-limiting policies take effect. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Connect as legitimate subscriber on static interface
Delivery
Send traffic matching otherwise-blocked protocols or above-tier bandwidth
Exploit
PFE fails to evaluate ingress firewall filter (CWE-754 condition not checked)
Execution
Ingress filter silently not enforced
Impact
Bypass protocol-level access restrictions and upstream rate limits

Vulnerability AssessmentAI

Exploitation All of the following conditions must simultaneously be true for exploitation: (1) the device must be a Juniper MX Series router running a vulnerable Junos OS version (23.2R2-S1 to 23.2R2-S6, 23.4R2 to 23.4R2-S6, 24.2 before 24.2R2-S3, 24.4 before 24.4R2-S2, or 25.2 before 25.2R2); (2) the device must be equipped with MPC10/11, LC4800, LC9600, LC4802, or MX304 hardware - other line cards are not stated to be affected; (3) subscriber sessions must be provisioned specifically on static interfaces, not dynamic interfaces; (4) at least one ingress firewall filter must be configured on those subscriber interfaces. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 (Medium) accurately reflects a constrained attack surface: the adjacent vector (AV:A) restricts exploitation to legitimate subscribers sharing the same network segment, and the impact is limited to subsequent system integrity at Low severity (SI:L) with no direct CIA impact on the vulnerable router itself. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A broadband subscriber connected through a Juniper MX Series BNG equipped with an MPC10/11 or MX304 line card deliberately sends traffic using protocols that should be blocked by their ingress firewall policy - for example, crafting packets to routing protocol ports (BGP/OSPF) or management-plane addresses, or streaming traffic at rates exceeding their contracted bandwidth tier. Because the PFE silently skips ingress filter evaluation for static-interface subscriber sessions on the affected hardware, the subscriber's restricted traffic reaches downstream network segments unimpeded and bandwidth policing is not applied. …
Remediation Upgrade Junos OS to the following vendor-confirmed fixed versions per advisory JSA110091 at https://supportportal.juniper.net/JSA110091: 23.2R2-S7 or later for the 23.2 branch; 23.4R2-S7 or later for the 23.4 branch; 24.2R2-S3 or later for the 24.2 branch; 24.4R2-S2 or later for the 24.4 branch; 25.2R2 or later for the 25.2 branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-57026 HIGH
8.7 Jul 09

Denial-of-service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series devices allows an unauthenticated

CVE-2026-57023 HIGH
8.7 Jul 09

Remote denial of service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series firewalls lets an unauthen

CVE-2026-57022 HIGH
8.2 Jul 09

Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Junos OS on MX (with SPC3) and SRX-series firewalls l

CVE-2026-57030 HIGH
8.2 Jul 09

Denial-of-service in Juniper Networks Junos OS on SRX Series devices lets an unauthenticated, network-based attacker exh

CVE-2026-57032 HIGH
7.1 Jul 09

Denial-of-service in Juniper Networks Junos OS on EX Series switches (EX2300, EX3400, EX4000, EX4100, EX4400) lets a low

CVE-2026-57027 HIGH
7.1 Jul 09

Denial-of-service in Juniper Junos OS on EX4100 and EX4400 Series switches allows an unauthenticated adjacent attacker t

CVE-2026-57020 HIGH
7.1 Jul 09

Denial-of-service in Juniper Networks Junos OS on QFX10000 Series switches allows an unauthenticated, adjacent (Layer 2)

CVE-2026-57019 HIGH
7.1 Jul 09

Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series routers lets an unauth

CVE-2026-57021 MEDIUM
6.9 Jul 09

Out-of-bounds write in the Juniper Networks Junos OS http-gatekeeper (http-gk) process on SRX Series firewalls crashes t

CVE-2026-57024 MEDIUM
6.9 Jul 09

Repeated IKE negotiation failures on Juniper Junos OS (MX with SPC3 and SRX Series) cause a peer index rollover that ass

CVE-2026-57054 MEDIUM
6.9 Jul 09

Web filtering bypass on Juniper Networks Junos OS MX Series exposes downstream resources to unauthenticated network atta

CVE-2026-57025 MEDIUM
6.8 Jul 09

Denial-of-service in Juniper Networks Junos OS and Junos OS Evolved on EX Series, QFX Series, and MX Series allows a loc

Share

CVE-2026-57031 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy