Juniper

CVE	Summary	Severity	CVSS	EPSS	Priority	Signals
CVE-2026-48687	OS command injection in FastNetMon Community Edition (through 1.2.9) lets attacker-controlled input reach an unescaped exec() call inside the Juniper router integration plugin, enabling arbitrary shell command execution on the host. The flaw lives in the _log() function of src/juniper_plugin/fastnetmon_juniper.php, where the $msg argument (built from argv[1]-argv[3]: attack IP, direction, power) is concatenated directly into a shell command. Although rated CVSS 9.8, practical exploitation is gated: FastNetMon's C++ core currently feeds IPs through inet_ntoa(), which only yields safe dotted-decimal strings, so injection requires the script to be driven directly or by a third-party orchestrator. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.	CRITICAL	9.8	0.1%	49	No patch
CVE-2026-33784	Full device takeover in Juniper Networks Support Insights Virtual Lightweight Collector (vLWC) before 3.0.94 via hardcoded default credentials. The vLWC software ships with an unchangeable initial password for a high-privileged account with no enforced password change during provisioning, enabling unauthenticated remote attackers to gain complete system control. CVSS v4.0 score 9.3 (Critical). No public exploit identified at time of analysis.	CRITICAL	9.3	0.0%	47
CVE-2026-33771	Juniper Networks CTP OS 9.2R1 and 9.2R2 fail to persist password complexity settings, enabling unauthenticated attackers to exploit predictable weak passwords on local accounts. The password management function allows administrators to configure complexity requirements but does not save these configurations, verifiable through 'Show password requirements' menu. This defect permits trivial passwords that attackers can brute-force remotely to gain full device control. No public exploit identified at time of analysis.	CRITICAL	9.1	0.0%	46	No patch
CVE-2026-33778	Remote denial-of-service in Juniper Networks Junos OS (SRX/MX Series) allows unauthenticated attackers to crash IPsec daemons via malformed ISAKMP packets. Exploiting the improper input validation (CWE-1286) in kmd/iked IPsec library causes process restart, preventing new VPN security association establishment. Repeated attacks create sustained inability to establish VPN connections, severely degrading network connectivity for affected enterprise firewalls and routing platforms. No public exploit identified at time of analysis.	HIGH	8.7	0.1%	44
CVE-2026-33790	Denial of service in Juniper Networks Junos OS on SRX Series allows unauthenticated remote attackers to crash srxpfe process via malformed ICMPv6 packets during NAT64 translation. Repeated exploitation sustains DoS by forcing continuous process restarts. Affects wide range of Junos OS versions from 21.2 through 25.2 on SRX hardware. Vulnerability limited to ICMPv6 traffic; IPv4 and standard IPv6 cannot trigger. No public exploit identified at time of analysis.	HIGH	8.7	0.0%	44
CVE-2026-33782	Memory leak in Juniper Networks Junos OS jdhcpd daemon enables adjacent unauthenticated attackers to crash DHCP services on MX Series routers. Each DHCPv6 subscriber logout in PPPoE or VLAN configurations with active/bulk lease query leaks memory, eventually exhausting resources and triggering jdhcpd crash. Service remains unavailable until process restart completes. Affects all Junos OS versions before 22.4R3-S1, 23.2 versions before 23.2R2, and 23.4 versions before 23.4R2. No public exploit identified at time of analysis.	HIGH	8.7	0.0%	44
CVE-2026-33788	Local privilege escalation in Juniper Networks Junos OS Evolved on PTX Series routers allows authenticated users with low privileges to gain high-privileged direct access to Flexible PIC Concentrators (FPCs), enabling potential full compromise of affected line cards. Impacts PTX10004, PTX10008, PTX10016 with JNP10K-LC1201 or JNP10K-LC1202 line cards across multiple firmware branches. Missing authentication on critical FPC management functions permits unauthorized privilege elevation. No public exploit identified at time of analysis.	HIGH	8.5	0.0%	43
CVE-2026-33793	Local privilege escalation in Juniper Networks Junos OS and Junos OS Evolved allows low-privileged authenticated users to execute arbitrary code with root privileges. When unsigned Python operation scripts are enabled in device configuration, attackers can inject and execute malicious op scripts under root-equivalent context, achieving complete system compromise. Affects all Junos OS versions before 22.4R3-S7 and multiple branches through 24.4, plus corresponding Junos OS Evolved releases. No public exploit identified at time of analysis. CVSS 8.5 (High) with local attack vector requiring low privileges and no user interaction.	HIGH	8.5	0.0%	43
CVE-2026-33791	Command injection in Juniper Networks Junos OS and Junos OS Evolved CLI processing allows high-privileged local attackers to execute arbitrary shell commands as root through crafted 'set system' arguments, enabling complete system compromise. Affects all versions before multiple fixed releases across both operating systems. Authentication required (high-privileged local access). No public exploit identified at time of analysis.	HIGH	8.4	0.0%	42
CVE-2026-21915	Command injection in Juniper Networks Support Insights Virtual Lightweight Collector (JSI vLWC) CLI enables local high-privileged attackers to escalate privileges to root. Inadequate input validation in the CLI menu permits shell command injection, with injected commands executing at root level. All JSI vLWC versions before 3.0.94 affected. CVSS 8.4 (High severity, local vector). Requires high-level existing privileges (PR:H). No public exploit identified at time of analysis.	HIGH	8.4	0.0%	42
CVE-2025-30650	Privilege escalation in Juniper Networks Junos OS allows high-privileged local attackers to gain root access on Linux-based line cards running Junos OS Evolved. Missing authentication in critical command processing functions enables authenticated administrators with elevated privileges to bypass access controls and execute commands as root on affected hardware modules including MPC7-11, LC2101/2103, LC480/4800/9600, MX304 built-in FPC, MX-SPC3, SRX5K-SPC3, EX9200-40XS, and PTX-series line cards. No public exploit identified at time of analysis.	HIGH	8.4	0.0%	42
CVE-2026-33779	Certificate chain validation bypass in Juniper Junos OS J-Web on SRX Series enables person-in-the-middle attackers to intercept Security Director cloud communications, exposing credentials and sensitive data. All SRX devices connecting to SD cloud fail to properly verify server certificates, allowing interception of authentication material and configuration data. Affects Junos OS versions across all branches prior to 22.4R3-S9, 23.2R2-S6, 23.4R2-S7, 24.2R2-S3, 24.4R2-S2, and 25.2R1-S2/25.2R2. No public exploit identified at time of analysis. Network-positioned attacker with high complexity required (CVSS AC:H).	HIGH	8.3	0.0%	42
CVE-2026-33783	Complete persistent denial of service in Juniper Networks Junos OS Evolved on PTX Series routers allows authenticated, low-privilege network attackers to crash the evo-aftmand service with no automatic recovery. The vulnerability triggers when PCEP-provisioned colored SRTE policy tunnels with 32-bit ASN values (greater than 65,535) in the Originator ASN field are monitored via gRPC, causing permanent forwarding plane failure until manual system restart. Affects multiple versions through 25.2 release train. No public exploit identified at time of analysis.	HIGH	7.1	0.0%	36
CVE-2026-21919	Management daemon deadlock in Juniper Networks Junos OS 23.4-24.4 and Junos OS Evolved enables network-based authenticated attackers to trigger complete management plane denial-of-service via rapid NETCONF session cycling. Vulnerability causes mgd processes to hang in lockf state, exhausting process pool and preventing administrative logins. Recovery requires device power-cycle. Affects deployments using NETCONF management interface with authenticated remote users. No public exploit identified at time of analysis.	HIGH	7.1	0.0%	36
CVE-2026-33775	Memory exhaustion in Juniper Networks Junos OS BroadBand Edge subscriber management daemon (bbe-smgd) on MX Series allows adjacent unauthenticated attackers to trigger persistent denial of service by sending authentication packets that do not match configured packet-type options. Each mismatched packet leaks memory, eventually consuming all available daemon heap memory and preventing new subscriber logins. Authentication packet-type configuration must be active for exploitation. No public exploit identified at time of analysis.	HIGH	7.1	0.0%	36

CVE-2026-48687

OS command injection in FastNetMon Community Edition (through 1.2.9) lets attacker-controlled input reach an unescaped exec() call inside the Juniper router integration plugin, enabling arbitrary shell command execution on the host. The flaw lives in the _log() function of src/juniper_plugin/fastnetmon_juniper.php, where the $msg argument (built from argv[1]-argv[3]: attack IP, direction, power) is concatenated directly into a shell command. Although rated CVSS 9.8, practical exploitation is gated: FastNetMon's C++ core currently feeds IPs through inet_ntoa(), which only yields safe dotted-decimal strings, so injection requires the script to be driven directly or by a third-party orchestrator. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

CRITICAL

9.8

0.1%

49

No patch

CVE-2026-33784

Full device takeover in Juniper Networks Support Insights Virtual Lightweight Collector (vLWC) before 3.0.94 via hardcoded default credentials. The vLWC software ships with an unchangeable initial password for a high-privileged account with no enforced password change during provisioning, enabling unauthenticated remote attackers to gain complete system control. CVSS v4.0 score 9.3 (Critical). No public exploit identified at time of analysis.

CRITICAL

9.3

0.0%

47

CVE-2026-33771

Juniper Networks CTP OS 9.2R1 and 9.2R2 fail to persist password complexity settings, enabling unauthenticated attackers to exploit predictable weak passwords on local accounts. The password management function allows administrators to configure complexity requirements but does not save these configurations, verifiable through 'Show password requirements' menu. This defect permits trivial passwords that attackers can brute-force remotely to gain full device control. No public exploit identified at time of analysis.

CRITICAL

9.1

0.0%

46

No patch

CVE-2026-33778

Remote denial-of-service in Juniper Networks Junos OS (SRX/MX Series) allows unauthenticated attackers to crash IPsec daemons via malformed ISAKMP packets. Exploiting the improper input validation (CWE-1286) in kmd/iked IPsec library causes process restart, preventing new VPN security association establishment. Repeated attacks create sustained inability to establish VPN connections, severely degrading network connectivity for affected enterprise firewalls and routing platforms. No public exploit identified at time of analysis.

HIGH

8.7

0.1%

44

CVE-2026-33790

Denial of service in Juniper Networks Junos OS on SRX Series allows unauthenticated remote attackers to crash srxpfe process via malformed ICMPv6 packets during NAT64 translation. Repeated exploitation sustains DoS by forcing continuous process restarts. Affects wide range of Junos OS versions from 21.2 through 25.2 on SRX hardware. Vulnerability limited to ICMPv6 traffic; IPv4 and standard IPv6 cannot trigger. No public exploit identified at time of analysis.

HIGH

8.7

0.0%

44

CVE-2026-33782

Memory leak in Juniper Networks Junos OS jdhcpd daemon enables adjacent unauthenticated attackers to crash DHCP services on MX Series routers. Each DHCPv6 subscriber logout in PPPoE or VLAN configurations with active/bulk lease query leaks memory, eventually exhausting resources and triggering jdhcpd crash. Service remains unavailable until process restart completes. Affects all Junos OS versions before 22.4R3-S1, 23.2 versions before 23.2R2, and 23.4 versions before 23.4R2. No public exploit identified at time of analysis.

HIGH

8.7

0.0%

44

CVE-2026-33788

Local privilege escalation in Juniper Networks Junos OS Evolved on PTX Series routers allows authenticated users with low privileges to gain high-privileged direct access to Flexible PIC Concentrators (FPCs), enabling potential full compromise of affected line cards. Impacts PTX10004, PTX10008, PTX10016 with JNP10K-LC1201 or JNP10K-LC1202 line cards across multiple firmware branches. Missing authentication on critical FPC management functions permits unauthorized privilege elevation. No public exploit identified at time of analysis.

HIGH

8.5

0.0%

43

CVE-2026-33793

Local privilege escalation in Juniper Networks Junos OS and Junos OS Evolved allows low-privileged authenticated users to execute arbitrary code with root privileges. When unsigned Python operation scripts are enabled in device configuration, attackers can inject and execute malicious op scripts under root-equivalent context, achieving complete system compromise. Affects all Junos OS versions before 22.4R3-S7 and multiple branches through 24.4, plus corresponding Junos OS Evolved releases. No public exploit identified at time of analysis. CVSS 8.5 (High) with local attack vector requiring low privileges and no user interaction.

HIGH

8.5

0.0%

43

CVE-2026-33791

Command injection in Juniper Networks Junos OS and Junos OS Evolved CLI processing allows high-privileged local attackers to execute arbitrary shell commands as root through crafted 'set system' arguments, enabling complete system compromise. Affects all versions before multiple fixed releases across both operating systems. Authentication required (high-privileged local access). No public exploit identified at time of analysis.

HIGH

8.4

0.0%

42

CVE-2026-21915

Command injection in Juniper Networks Support Insights Virtual Lightweight Collector (JSI vLWC) CLI enables local high-privileged attackers to escalate privileges to root. Inadequate input validation in the CLI menu permits shell command injection, with injected commands executing at root level. All JSI vLWC versions before 3.0.94 affected. CVSS 8.4 (High severity, local vector). Requires high-level existing privileges (PR:H). No public exploit identified at time of analysis.

HIGH

8.4

0.0%

42

CVE-2025-30650

Privilege escalation in Juniper Networks Junos OS allows high-privileged local attackers to gain root access on Linux-based line cards running Junos OS Evolved. Missing authentication in critical command processing functions enables authenticated administrators with elevated privileges to bypass access controls and execute commands as root on affected hardware modules including MPC7-11, LC2101/2103, LC480/4800/9600, MX304 built-in FPC, MX-SPC3, SRX5K-SPC3, EX9200-40XS, and PTX-series line cards. No public exploit identified at time of analysis.

HIGH

8.4

0.0%

42

CVE-2026-33779

Certificate chain validation bypass in Juniper Junos OS J-Web on SRX Series enables person-in-the-middle attackers to intercept Security Director cloud communications, exposing credentials and sensitive data. All SRX devices connecting to SD cloud fail to properly verify server certificates, allowing interception of authentication material and configuration data. Affects Junos OS versions across all branches prior to 22.4R3-S9, 23.2R2-S6, 23.4R2-S7, 24.2R2-S3, 24.4R2-S2, and 25.2R1-S2/25.2R2. No public exploit identified at time of analysis. Network-positioned attacker with high complexity required (CVSS AC:H).

HIGH

8.3

0.0%

42

CVE-2026-33783

Complete persistent denial of service in Juniper Networks Junos OS Evolved on PTX Series routers allows authenticated, low-privilege network attackers to crash the evo-aftmand service with no automatic recovery. The vulnerability triggers when PCEP-provisioned colored SRTE policy tunnels with 32-bit ASN values (greater than 65,535) in the Originator ASN field are monitored via gRPC, causing permanent forwarding plane failure until manual system restart. Affects multiple versions through 25.2 release train. No public exploit identified at time of analysis.

HIGH

7.1

0.0%

36

CVE-2026-21919

Management daemon deadlock in Juniper Networks Junos OS 23.4-24.4 and Junos OS Evolved enables network-based authenticated attackers to trigger complete management plane denial-of-service via rapid NETCONF session cycling. Vulnerability causes mgd processes to hang in lockf state, exhausting process pool and preventing administrative logins. Recovery requires device power-cycle. Affects deployments using NETCONF management interface with authenticated remote users. No public exploit identified at time of analysis.

HIGH

7.1

0.0%

36

CVE-2026-33775

Memory exhaustion in Juniper Networks Junos OS BroadBand Edge subscriber management daemon (bbe-smgd) on MX Series allows adjacent unauthenticated attackers to trigger persistent denial of service by sending authentication packets that do not match configured packet-type options. Each mismatched packet leaks memory, eventually consuming all available daemon heap memory and preventing new subscriber logins. Authentication packet-type configuration must be active for exploitation. No public exploit identified at time of analysis.

HIGH

7.1

0.0%

36

Severity Breakdown

Monthly CVE Trend

Affected Products (13)

Top Risky CVEs