Juniper: >> Junos Os Evolved Security Vulnerabilities
An OS Command Injection vulnerability in the CLI processing of Juniper Networks Junos OS and Junos OS Evolved allows a local, high-privileged attacker executing specific, crafted CLI commands to inject arbitrary shell commands as root, leading to a complete compromise of the system.
Certain 'set system' commands, when executed with crafted arguments, are not properly sanitized, allowing for arbitrary shell injection. These shell commands are executed as root, potentially allowing for complete control of the vulnerable system.
This issue affects:
Junos OS:
* all versions before 22.4R3-S8,
* from 23.2 before 23.2R2-S5,
* from 23.4 before 23.4R2-S7,
* from 24.2 before 24.2R2-S2,
* from 24.4 before 24.4R2,
* from 25.2 before 25.2R2;
Junos OS Evolved:
* all versions before 22.4R3-S8-EVO,
* from 23.2 before 23.2R2-S5-EVO,
* from 23.4 before 23.4R2-S7-EVO,
* from 24.2 before 24.2R2-S2-EVO,
* from 24.4 before 24.4R2-EVO,
* from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO.
CVSS Score
8.4
EPSS Score
0.0
Published
2026-04-09
An Execution with Unnecessary Privileges vulnerability in the User Interface (UI) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker to gain root privileges, thus compromising the system.
When a configuration that allows unsigned Python op scripts is present on the device, a non-root user is able to execute malicious op scripts as a root-equivalent user, leading to privilege escalation.
This issue affects Junos OS:
* All versions before 22.4R3-S7,
* from 23.2 before 23.2R2-S4,
* from 23.4 before 23.4R2-S6,
* from 24.2 before 24.2R1-S2, 24.2R2,
* from 24.4 before 24.4R1-S2, 24.4R2;
Junos OS Evolved:
* All versions before 22.4R3-S7-EVO,
* from 23.2 before 23.2R2-S4-EVO,
* from 23.4 before 23.4R2-S6-EVO,
* from 24.2 before 24.2R2-EVO,
* from 24.4 before 24.4R1-S1-EVO, 24.4R2-EVO.
CVSS Score
8.5
EPSS Score
0.0
Published
2026-04-09
An Improper Input Validation vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker, sending a specific genuine BGP packet in an already established BGP session to reset only that session causing a Denial of Service (DoS).
An attacker repeatedly sending the packet will sustain the Denial of Service (DoS).This issue affects Junos OS:
* 25.2 versions before 25.2R2
This issue doesn't not affected Junos OS versions before 25.2R1.
This issue affects Junos OS Evolved:
* 25.2-EVO versions before 25.2R2-EVO
This issue doesn't not affected Junos OS Evolved versions before 25.2R1-EVO.
eBGP and iBGP are affected.
IPv4 and IPv6 are affected.
CVSS Score
7.1
EPSS Score
0.0
Published
2026-04-09
A Function Call With Incorrect Argument Type vulnerability in the sensor interface of Juniper Networks Junos OS Evolved on PTX Series allows a network-based, authenticated attacker with low privileges to cause a complete Denial of Service (DoS).
If colored SRTE policy tunnels are provisioned via PCEP, and gRPC is used to monitor traffic in these tunnels, evo-aftmand crashes and doesn't restart which leads to a complete and persistent service impact. The system has to be manually restarted to recover. The issue is seen only when the Originator ASN field in PCEP contains a value larger than 65,535 (32-bit ASN). The issue is not reproducible when SRTE policy tunnels are statically configured.
This issue affects Junos OS Evolved on PTX Series:
* all versions before 22.4R3-S9-EVO,
* 23.2 versions before 23.2R2-S6-EVO,
* 23.4 versions before 23.4R2-S7-EVO,
* 24.2 versions before 24.2R2-S4-EVO,
* 24.4 versions before 24.4R2-S2-EVO,
* 25.2 versions before 25.2R1-S2-EVO, 25.2R2-EVO.
CVSS Score
7.1
EPSS Score
0.001
Published
2026-04-09
A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS and Junos OS Evolved allows a local user with low privileges to read sensitive information.
A local user with low privileges can execute the CLI command 'show mgd' with specific arguments which will expose sensitive information.
This issue affects
Junos OS:
* all versions before 22.4R3-S8,
* 23.2 versions before 23.2R2-S6,
* 23.4 versions before 23.4R2-S6,
* 24.2 versions before 24.2R2-S4,
* 24.4 versions before 24.4R2-S1,
* 25.2 version before 25.2R1-S2, 25.2R2;
Junos OS Evolved:
* all versions before 23.2R2-S6-EVO,
* 23.4 version before 23.4R2-S6-EVO,
* 24.2 version before 24.2R2-S4-EVO,
* 24.4 versions before 24.4R2-S1-EVO,
* 25.2 versions before 25.2R2-EVO.
CVSS Score
6.8
EPSS Score
0.0
Published
2026-04-09
A Missing Release of Memory after Effective Lifetime vulnerability in the Layer 2 Address Learning Daemon (l2ald) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker to cause a memory leak ultimately leading to a Denial of Service (DoS).
In an EVPN-MPLS scenario, routes learned from remote multi-homed Provider Edge (PE) devices are programmed as ESI routes. Due to a logic issue in the l2ald memory management, memory allocated for these routes is not released when there is churn for these routes. As a result, memory leaks in the l2ald process which will ultimately lead to a crash and restart of l2ald.
Use the following command to monitor the memory consumption by l2ald:
user@device> show system process extensive | match "PID|l2ald"
This issue affects:
Junos OS:
* all versions before 22.4R3-S5,
* 23.2 versions before 23.2R2-S3,
* 23.4 versions before 23.4R2-S4,
* 24.2 versions before 24.2R2;
Junos OS Evolved:
* all versions before 22.4R3-S5-EVO,
* 23.2 versions before 23.2R2-S3-EVO,
* 23.4 versions before 23.4R2-S4-EVO,
* 24.2 versions before 24.2R2-EVO.
CVSS Score
7.1
EPSS Score
0.0
Published
2026-04-09
An Incorrect Synchronization vulnerability in the management daemon (mgd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker with low privileges to cause a complete Denial-of-Service (DoS) of the management plane.
When NETCONF sessions are quickly established and disconnected, a locking issue causes mgd processes to hang in an unusable state. When the maximum number of mgd processes has been reached, no new logins are possible. This leads to the inability to manage the device and requires a power-cycle to recover.
This issue can be monitored by checking for mgd processes in lockf state in the output of 'show system processes extensive':
user@host> show system processes extensive | match mgd
<pid> root 20 0 501M 4640K lockf 1 0:01 0.00% mgd
If the system still can be accessed (either via the CLI or as root, which might still be possible as last resort as this won't invoke mgd), mgd processes in this state can be killed with 'request system process terminate <PID>' from the CLI or with 'kill -9 <PID>' from the shell.
This issue affects:
Junos OS:
* 23.4 versions before 23.4R2-S4,
* 24.2 versions before 24.2R2-S1,
* 24.4 versions before 24.4R1-S3, 24.4R2;
This issue does not affect Junos OS versions before 23.4R1;
Junos OS Evolved:
* 23.4 versions before 23.4R2-S5-EVO,
* 24.2 versions before 24.2R2-S1-EVO,
* 24.4 versions before 24.4R1-S3-EVO, 24.4R2-EVO.
This issue does not affect Junos OS Evolved versions before 23.4R1-EVO;
CVSS Score
7.1
EPSS Score
0.0
Published
2026-04-09
An Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated, network-based attacker to execute code as root.
The On-Box Anomaly detection framework should only be reachable by other internal processes over the internal routing instance, but not over an externally exposed port. With the ability to access and manipulate the service to execute code as root a remote attacker can take complete control of the device.
Please note that this service is enabled by default as no specific configuration is required.
This issue affects Junos OS Evolved on PTX Series:
* 25.4 versions before 25.4R1-S1-EVO, 25.4R2-EVO.
This issue does not affect Junos OS Evolved versions before 25.4R1-EVO.
This issue does not affect Junos OS.
CVSS Score
9.3
EPSS Score
0.001
Published
2026-02-25
A Use After Free vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker authenticated with low privileges to cause a Denial-of-Service (DoS).
When telemetry collectors are frequently subscribing and unsubscribing to sensors continuously over a long period of time, telemetry-capable processes like chassisd, rpd or mib2d will crash and restart, which - depending on the process - can cause a complete outage until the system has recovered.
This issue affects:
Junos OS:
* all versions before 22.4R3-S8,
* 23.2 versions before 23.2R2-S5,
* 23.4 versions before 23.4R2;
Junos OS Evolved:
* all versions before 22.4R3-S8-EVO,
* 23.2 versions before 23.2R2-S5-EVO,
* 23.4 versions before 23.4R2-EVO.
CVSS Score
7.1
EPSS Score
0.0
Published
2026-01-15
An Incorrect Calculation vulnerability in the Layer 2 Control
Protocol
Daemon (l2cpd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-adjacent attacker flapping the management interface to cause the learning of new MACs over label-switched interfaces (LSI) to stop while generating a flood of logs, resulting in high CPU usage.
When the issue is seen, the following log message will be generated:
op:1 flag:0x6 mac:xx:xx:xx:xx:xx:xx bd:2 ifl:13302 reason:0(REASON_NONE) i-op:6(INTRNL_OP_HW_FORCE_DELETE) status:10 lstatus:10 err:26(GETIFBD_VALIDATE_FAILED) err-reason 4(IFBD_VALIDATE_FAIL_EPOCH_MISMATCH) hw_wr:0x4 ctxsync:0 fwdsync:0 rtt-id:51 p_ifl:0 fwd_nh:0 svlbnh:0 event:- smask:0x100000000 dmask:0x0 mplsmask 0x1 act:0x5800 extf:0x0 pfe-id 0 hw-notif-ifl 13302 programmed-ifl 4294967295 pseudo-vtep underlay-ifl-idx 0 stack:GET_MAC, ALLOCATE_MAC, GET_IFL, GET_IFF, GET_IFBD, STOP,
This issue affects Junos OS Evolved:
* all versions before 21.4R3-S7-EVO,
* from 22.2 before 22.2R3-S4-EVO,
* from 22.3 before 22.3R3-S3-EVO,
* from 22.4 before 22.4R3-S2-EVO,
* from 23.2 before 23.2R2-S1-EVO,
* from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO.
CVSS Score
7.1
EPSS Score
0.0
Published
2026-01-15
Page 1