Skip to main content

Juniper

Vendor security scorecard – 22 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 44
22
CVEs
0
Critical
11
High
0
KEV
0
PoC
0
Unpatched C/H
100.0%
Patch Rate
0.3%
Avg EPSS

Severity Breakdown

CRITICAL
0
HIGH
11
MEDIUM
11
LOW
0

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-57023 Remote denial of service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series firewalls lets an unauthenticated network attacker crash the flow processing daemon (flowd) by sending a single TCP packet with a malformed TCP header when the TCP proxy is active. Because TCP proxy is engaged whenever ALGs, Advanced Anti-Malware, ICAP, or UTM services inspect a flow, exploitation forces a complete traffic-forwarding outage until the daemon auto-restarts. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a credible availability threat to perimeter devices. HIGH 8.7 0.5% 44
CVE-2026-57026 Denial-of-service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series devices allows an unauthenticated, network-based attacker to crash the flow processing daemon (flowd) by sending a malformed SIP INVITE packet when the SIP Application Layer Gateway (ALG) is enabled. The crash forces a flowd restart, producing a complete traffic-forwarding outage until the device auto-recovers, and can be repeated to sustain the outage. No public exploit identified at time of analysis; not listed in CISA KEV, and no EPSS score was provided. HIGH 8.7 0.5% 44
CVE-2026-33794 Denial-of-service in Juniper Junos OS Evolved on PTX Series routers lets an unauthenticated network attacker crash the advanced forwarding toolkit process (evo-aftmand) on the Packet Forwarding Engine by driving continuous routing updates that produce unified-list (unilist) ECMP routes. The resulting internal state corruption generates an evo-aftmand-bx core and halts forwarding, requiring a manual FPC restart or system reboot to recover. No public exploit identified at time of analysis; the vendor (Juniper SIRT) notes successful exploitation depends on a sequence of events outside the attacker's direct control, so this is a high-CVSS availability issue rather than a trivially reproducible one. HIGH 8.2 0.4% 41
CVE-2026-57022 Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Junos OS on MX (with SPC3) and SRX-series firewalls lets an unauthenticated, network-based attacker crash and restart the PFE, dropping all traffic-forwarding services until automatic recovery. Exploitation is indirect: the attacker must lure or wait for the affected device to initiate an outbound TCP connection to an attacker-controlled system, which then replies with a crafted packet that trips an unhandled exceptional condition (CWE-754). Juniper-reported with CVSS 4.0 8.2; no public exploit identified at time of analysis and it is not in CISA KEV. HIGH 8.2 0.4% 41
CVE-2026-57030 Denial-of-service in Juniper Networks Junos OS on SRX Series devices lets an unauthenticated, network-based attacker exhaust the packet forwarding engine (PFE) by exploiting a race condition in stateful flow teardown. When the race is hit, a flow's timeout is mis-set to a very high value (>10,000s instead of 3s), so sessions are never reaped, invalidated sessions accumulate without bound, and the device eventually stops forwarding or hits a flowd core and reboots. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; exploitation is probabilistic because the triggering conditions are outside the attacker's control. HIGH 8.2 0.4% 41
CVE-2026-57032 Denial-of-service in Juniper Networks Junos OS on EX Series switches (EX2300, EX3400, EX4000, EX4100, EX4400) lets a low-privileged authenticated attacker crash the Flexible PIC Concentrator (FPC) by subscribing over gRPC to an unsupported telemetry sensor path in the packet forwarding engine. Each crash produces a complete forwarding outage until the module auto-restarts, and the trigger can be repeated for sustained disruption. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the low complexity and single low-privilege prerequisite make it operationally easy to trigger. HIGH 7.1 0.4% 36
CVE-2026-33801 Remote denial-of-service in Juniper Networks Junos OS and Junos OS Evolved 25.2 (before 25.2R2 / 25.2R2-EVO) lets an adjacent, unauthenticated BGP peer crash the routing protocol daemon (RPD) by sending a single malformed non-inet/inet6 unicast BGP update over an already-established session. The RPD crash-and-restart produces a full routing outage until reconvergence completes, though the crash occurs before the update is readvertised so there is no downstream propagation to other routers. CVSS 4.0 base score is 7.1; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. HIGH 7.1 0.3% 36
CVE-2026-33800 Denial-of-service in the Packet Forwarding Engine of Juniper Junos OS on MX Series routers allows an unauthenticated, network-adjacent attacker to crash and restart the FPC by continuously flapping Micro-BFD sessions. The PFEMAN process queues each up/down event and, in a Virtual-Chassis deployment with locality-bias enabled, processing is slow enough that a sustained flap backlog prevents completion and trips the PFEMAN watchdog timer, forcing an FPC restart and a full traffic outage. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the low complexity and unauthenticated adjacent vector make it a credible availability threat to affected line cards (MPC9 and below). HIGH 7.1 0.3% 36
CVE-2026-57019 Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series routers lets an unauthenticated, Layer-2 adjacent attacker crash a line card by sending a single crafted packet within the same broadcast domain. The affected system miscalculates the packet size (CWE-1284, improper validation of specified quantity in input), which fails downstream processing and raises an MQSS major CMError that forces an automatic FPC reset, interrupting all traffic on that FPC until it recovers. Only deployments handling MAP-T or non-IP-over-IP traffic (e.g. MPLS over GRE) are exposed; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. HIGH 7.1 0.3% 36
CVE-2026-57020 Denial-of-service in Juniper Networks Junos OS on QFX10000 Series switches allows an unauthenticated, adjacent (Layer 2) attacker to saturate data-center links by injecting IPv6 multicast traffic in an EVPN-VxLAN fabric. When such packets reach a non-IRB interface of a spine switch, the packet-forwarding engine floods them to other spines and all ESI leaf switches, creating an endless forwarding loop that starves legitimate traffic. No public exploit identified at time of analysis and it is not listed in CISA KEV; the vendor-assigned CVSS 4.0 base score is 7.1. HIGH 7.1 0.3% 36
CVE-2026-57027 Denial-of-service in Juniper Junos OS on EX4100 and EX4400 Series switches allows an unauthenticated adjacent attacker to exhaust packet-forwarding-engine memory and crash the Flexible PIC Concentrator (FPC). The flaw triggers only when sFlow monitoring is enabled in a Virtual Chassis and multicast traffic ingresses on one VC member and egresses on another, causing a slow buffer leak that culminates in an FPC crash and restart. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a credible availability risk for affected deployments. HIGH 7.1 0.3% 36
CVE-2026-57021 Out-of-bounds write in the Juniper Networks Junos OS http-gatekeeper (http-gk) process on SRX Series firewalls crashes the process when handling crafted network requests, taking down all web-management-dependent services including J-Web, remote-access VPN, and firewall authentication until automatic process recovery. Exploitation is gated on a specific non-default configuration - remote-access VPN with pre-logon compliance check enabled - limiting the exposed population to SRX deployments that actively use this feature. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the official CVSS 5.3 score reflects the limited, reversible availability-only impact. MEDIUM 6.9 0.5% 35
CVE-2026-57024 Repeated IKE negotiation failures on Juniper Junos OS (MX with SPC3 and SRX Series) cause a peer index rollover that assigns duplicate index values to new peers, triggering continuous iked process crashes and a full VPN service outage requiring system reboot. Unauthenticated network-based attackers can deliberately flood the device with failing VPN negotiations to accelerate the rollover condition. No public exploit code or CISA KEV listing exists at time of analysis, but the network-reachable, zero-privilege attack vector makes this a meaningful risk for any organization relying on Juniper-based VPN infrastructure with iked enabled. MEDIUM 6.9 0.4% 35
CVE-2026-33803 Junos OS Evolved exposes an internal communication process to the network via an unintended open port due to incorrect initialization, enabling unauthenticated remote attackers to interact with a service never designed for external access. Affected Juniper devices suffer limited information disclosure and elevated CPU consumption as the misbound process handles unsolicited ingress packets - a soft availability degradation rather than a crash. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated network vector across a broad version range warrants prompt patching on internet-facing routing infrastructure. MEDIUM 6.9 0.4% 35
CVE-2026-57054 Web filtering bypass on Juniper Networks Junos OS MX Series exposes downstream resources to unauthenticated network attackers by allowing a specially formatted URL to evade the URL filtering plugin. The flaw stems from incorrect name or reference resolution (CWE-706), causing the router to forward traffic that security policy mandates be dropped. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 6.9 carries an Automatable:Yes modifier, indicating the bypass is scriptable at scale against any qualifying deployment. MEDIUM 6.9 0.3% 35

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy