Critical Vulnerability in Junos OS Evolved could allow remote execution as root in PTX Series

The PTX Series are core routers designed for high capacity and low latency environments - very common in Internet providers, operators and large clouds -; therefore any failure in these devices has large-scale impact potential. The product specification is available on the Juniper website: PTX Series routers.

The root of the problem is a misallocation of permissions within the component responsible for the detection of "on-box" anomalies. This detection framework should be communicated only through the internal routing interface, but an error allowed it to be accessible through a port exposed to external networks. When running the service with system privileges (root) and being activated by default, the exposure generates a direct way to compromise the equipment if an attacker can reach that port from the network.

Vulnerability has been recorded as CVE-2026-21902, and Juniper published a technical notice with details and recommendations on their support portal: Juniper security notices. According to the manufacturer, at the time of publication there was no indication that vulnerability was being actively exploited in nature, but that did not mitigate the inherent risk while unpatched facilities were in place.

In terms of scope, the failure affects the editions Junos OS Evolved in PTX in releases prior to 25.4R1-S1-EVO and 25.4R2-EVO; Juniper has distributed corrections in the 25.4R1-S1-EVO, 25.4R2-EVO and 26.2R1-EVO. versions It is important to note that the previous versions of 25.4R1-EVO and the standard (not Evolved) branches of Junos OS are not considered to be affected by this EQE. It should also be borne in mind that Juniper does not evaluate launches that are already in the end-of-support phase (EoL), so that teams that run off-maintenance releases could be left without official mitigation.

If it is not possible to apply the patch immediately, Juniper suggests reducing vulnerable service exposure by limiting access to affected endpoints by firewall filters or access control lists (ACL) so that only reliable networks and hosts can communicate with the team. As a temporary alternative, administrators can deactivate the anomaly detection service with the following command in the equipment control plane: 'request pfe anomalies disable '. It should be assessed that disabling this functionality can affect the visibility and detection of abnormal behaviors in the network, and should therefore be considered as a temporary measure until the update.

For engineering operators and equipment, the practical recommendation is to prioritize a planned update as soon as possible, to perform the necessary tests in pre-production environments and to deploy the patches during controlled maintenance windows. In addition, it is appropriate to review the network segmentation configurations, ensure that administrative and management interfaces are not exposed to unreliable networks and monitor the computer's log and telemetry for anomalous access.

Network infrastructure equipment is often attractive targets for advanced operators: their position in topology and their ability to move large volumes of traffic make them high-value dianas. Juniper has seen in recent years various campaigns aimed at network infrastructure, so this kind of vulnerability requires a rapid and coordinated response between suppliers, operators and security equipment.

If you manage infrastructure including PTX with Junas OS Evolved, check the version inventory urgently, apply the corrections provided by Juniper and, meanwhile, reduce the attack surface according to the manufacturer's guides. The combination of patching, segmentation and detection is the best way to minimize the risk until all equipment is updated. For official information and additional technical details it is recommended to read the Juniper newsletter and the NVD entry linked above.