Skip to main content

Juniper

Vendor security scorecard – 25 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 62
25
CVEs
1
Critical
13
High
0
KEV
0
PoC
3
Unpatched C/H
88.0%
Patch Rate
0.3%
Avg EPSS

Severity Breakdown

CRITICAL
1
HIGH
13
MEDIUM
11
LOW
0

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-48687 OS command injection in FastNetMon Community Edition (through 1.2.9) lets attacker-controlled input reach an unescaped exec() call inside the Juniper router integration plugin, enabling arbitrary shell command execution on the host. The flaw lives in the _log() function of src/juniper_plugin/fastnetmon_juniper.php, where the $msg argument (built from argv[1]-argv[3]: attack IP, direction, power) is concatenated directly into a shell command. Although rated CVSS 9.8, practical exploitation is gated: FastNetMon's C++ core currently feeds IPs through inet_ntoa(), which only yields safe dotted-decimal strings, so injection requires the script to be driven directly or by a third-party orchestrator. There is no public exploit identified at time of analysis and it is not listed in CISA KEV. CRITICAL 9.8 0.1% 49
No patch
CVE-2026-57023 Remote denial of service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series firewalls lets an unauthenticated network attacker crash the flow processing daemon (flowd) by sending a single TCP packet with a malformed TCP header when the TCP proxy is active. Because TCP proxy is engaged whenever ALGs, Advanced Anti-Malware, ICAP, or UTM services inspect a flow, exploitation forces a complete traffic-forwarding outage until the daemon auto-restarts. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a credible availability threat to perimeter devices. HIGH 8.7 0.5% 44
CVE-2026-57026 Denial-of-service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series devices allows an unauthenticated, network-based attacker to crash the flow processing daemon (flowd) by sending a malformed SIP INVITE packet when the SIP Application Layer Gateway (ALG) is enabled. The crash forces a flowd restart, producing a complete traffic-forwarding outage until the device auto-recovers, and can be repeated to sustain the outage. No public exploit identified at time of analysis; not listed in CISA KEV, and no EPSS score was provided. HIGH 8.7 0.5% 44
CVE-2026-33794 Denial-of-service in Juniper Junos OS Evolved on PTX Series routers lets an unauthenticated network attacker crash the advanced forwarding toolkit process (evo-aftmand) on the Packet Forwarding Engine by driving continuous routing updates that produce unified-list (unilist) ECMP routes. The resulting internal state corruption generates an evo-aftmand-bx core and halts forwarding, requiring a manual FPC restart or system reboot to recover. No public exploit identified at time of analysis; the vendor (Juniper SIRT) notes successful exploitation depends on a sequence of events outside the attacker's direct control, so this is a high-CVSS availability issue rather than a trivially reproducible one. HIGH 8.2 0.4% 41
CVE-2026-57022 Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Junos OS on MX (with SPC3) and SRX-series firewalls lets an unauthenticated, network-based attacker crash and restart the PFE, dropping all traffic-forwarding services until automatic recovery. Exploitation is indirect: the attacker must lure or wait for the affected device to initiate an outbound TCP connection to an attacker-controlled system, which then replies with a crafted packet that trips an unhandled exceptional condition (CWE-754). Juniper-reported with CVSS 4.0 8.2; no public exploit identified at time of analysis and it is not in CISA KEV. HIGH 8.2 0.4% 41
CVE-2026-57030 Denial-of-service in Juniper Networks Junos OS on SRX Series devices lets an unauthenticated, network-based attacker exhaust the packet forwarding engine (PFE) by exploiting a race condition in stateful flow teardown. When the race is hit, a flow's timeout is mis-set to a very high value (>10,000s instead of 3s), so sessions are never reaped, invalidated sessions accumulate without bound, and the device eventually stops forwarding or hits a flowd core and reboots. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; exploitation is probabilistic because the triggering conditions are outside the attacker's control. HIGH 8.2 0.4% 41
CVE-2026-48695 OS command injection in FastNetMon Community Edition through 1.2.9 lets an authenticated network attacker execute arbitrary shell commands via the MikroTik router integration plugin by influencing argv[] values passed to the unsanitized _log() function. The flaw mirrors a previously disclosed Juniper plugin issue in the same project, and while a public technical write-up exists at lorikeetsecurity.com, no public exploit code or active exploitation has been identified, with EPSS at 0.05% (17th percentile). HIGH 8.1 0.1% 41
No patch
CVE-2026-48694 Configuration injection in FastNetMon Community Edition through 1.2.9 allows an attacker who controls the attacker IP string passed to the Juniper integration plugin to inject arbitrary Juniper NETCONF set/delete commands, leading to full router compromise. The flaw lives in the PHP-based Juniper plugin where unsanitized argv input is interpolated into NETCONF commands, and although no public exploit identified at time of analysis (EPSS 0.03%), the technical impact is rated total under SSVC and CVSS scores 8.1. HIGH 8.1 0.0% 41
No patch
CVE-2026-57032 Denial-of-service in Juniper Networks Junos OS on EX Series switches (EX2300, EX3400, EX4000, EX4100, EX4400) lets a low-privileged authenticated attacker crash the Flexible PIC Concentrator (FPC) by subscribing over gRPC to an unsupported telemetry sensor path in the packet forwarding engine. Each crash produces a complete forwarding outage until the module auto-restarts, and the trigger can be repeated for sustained disruption. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the low complexity and single low-privilege prerequisite make it operationally easy to trigger. HIGH 7.1 0.4% 36
CVE-2026-33801 Remote denial-of-service in Juniper Networks Junos OS and Junos OS Evolved 25.2 (before 25.2R2 / 25.2R2-EVO) lets an adjacent, unauthenticated BGP peer crash the routing protocol daemon (RPD) by sending a single malformed non-inet/inet6 unicast BGP update over an already-established session. The RPD crash-and-restart produces a full routing outage until reconvergence completes, though the crash occurs before the update is readvertised so there is no downstream propagation to other routers. CVSS 4.0 base score is 7.1; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. HIGH 7.1 0.3% 36
CVE-2026-33800 Denial-of-service in the Packet Forwarding Engine of Juniper Junos OS on MX Series routers allows an unauthenticated, network-adjacent attacker to crash and restart the FPC by continuously flapping Micro-BFD sessions. The PFEMAN process queues each up/down event and, in a Virtual-Chassis deployment with locality-bias enabled, processing is slow enough that a sustained flap backlog prevents completion and trips the PFEMAN watchdog timer, forcing an FPC restart and a full traffic outage. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the low complexity and unauthenticated adjacent vector make it a credible availability threat to affected line cards (MPC9 and below). HIGH 7.1 0.3% 36
CVE-2026-57019 Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series routers lets an unauthenticated, Layer-2 adjacent attacker crash a line card by sending a single crafted packet within the same broadcast domain. The affected system miscalculates the packet size (CWE-1284, improper validation of specified quantity in input), which fails downstream processing and raises an MQSS major CMError that forces an automatic FPC reset, interrupting all traffic on that FPC until it recovers. Only deployments handling MAP-T or non-IP-over-IP traffic (e.g. MPLS over GRE) are exposed; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. HIGH 7.1 0.3% 36
CVE-2026-57020 Denial-of-service in Juniper Networks Junos OS on QFX10000 Series switches allows an unauthenticated, adjacent (Layer 2) attacker to saturate data-center links by injecting IPv6 multicast traffic in an EVPN-VxLAN fabric. When such packets reach a non-IRB interface of a spine switch, the packet-forwarding engine floods them to other spines and all ESI leaf switches, creating an endless forwarding loop that starves legitimate traffic. No public exploit identified at time of analysis and it is not listed in CISA KEV; the vendor-assigned CVSS 4.0 base score is 7.1. HIGH 7.1 0.3% 36
CVE-2026-57027 Denial-of-service in Juniper Junos OS on EX4100 and EX4400 Series switches allows an unauthenticated adjacent attacker to exhaust packet-forwarding-engine memory and crash the Flexible PIC Concentrator (FPC). The flaw triggers only when sFlow monitoring is enabled in a Virtual Chassis and multicast traffic ingresses on one VC member and egresses on another, causing a slow buffer leak that culminates in an FPC crash and restart. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a credible availability risk for affected deployments. HIGH 7.1 0.3% 36
CVE-2026-57021 Out-of-bounds write in the Juniper Networks Junos OS http-gatekeeper (http-gk) process on SRX Series firewalls crashes the process when handling crafted network requests, taking down all web-management-dependent services including J-Web, remote-access VPN, and firewall authentication until automatic process recovery. Exploitation is gated on a specific non-default configuration - remote-access VPN with pre-logon compliance check enabled - limiting the exposed population to SRX deployments that actively use this feature. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the official CVSS 5.3 score reflects the limited, reversible availability-only impact. MEDIUM 6.9 0.5% 35

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy