On 25 February 2026, Juniper Networks issued an Out-of-Cycle Security Bulletin for a critical vulnerability affecting Junos OS Evolved on PTX Series platforms. The issue—tracked as CVE-2026-21902—allows an unauthenticated, network-based attacker to execute arbitrary code as root, resulting in full device compromise.
Vulnerability Summary
Title: A vulnerability allows a unauthenticated, network-based attacker to execute code as root in Junos OS Evolved (PTX Series).
CVE Identifier: CVE-2026-21902
Severity: High / Critical (Vendor rated)
Vendor: Juniper Networks
Systems Affected:
- Junos OS Evolved on PTX Series platforms
- Specific versions: 25.4 prior to 25.4R1-S1-EVO and 25.4R2-EVO
- Not affected: Versions before 25.4R1-EVO, and classic Junos OS (non-Evolved) distributions.
Technical Breakdown
Root Cause & Vulnerable Component
The flaw stems from an Incorrect Permission Assignment for a Critical Resource in the On-Box Anomaly Detection Framework of Junos OS Evolved. The anomaly detection service is:
- Enabled by default on affected platforms
- Designed to be reachable internally (via local processes)
- Incorrectly exposed externally, allowing remote access over the network.
A malicious actor can interact with this exposed service over the network, manipulate the access control logic, and deviate execution flow to run arbitrary code with root privileges.
This combination of missing access control, service exposure, and privileged execution context makes the flaw particularly severe.
Exploitability
Key aspects that enable exploitation:
- Network-based access — no authentication required (i.e., attacker does not need credentials).
- Remote code execution (RCE) in a privileged context (root).
- Default configuration enables the service — meaning no special provisioning or activation is needed to be vulnerable.
Such characteristics typically elevate a vulnerability to highly attractive targets for automated scanning and exploitation.
Affected Versions & Upgrade Paths
Affected:
- Junos OS Evolved 25.4 before:
- 25.4R1-S1-EVO
- 25.4R2-EVO
Unaffected:
- Versions prior to 25.4R1-EVO
- Classic Junos OS distributions are not impacted by this specific issue.
Administrators should validate the OS version running on PTX devices and upgrade to at least 25.4R1-S1-EVO or 25.4R2-EVO where this vulnerability is reported to be addressed.
Risk & Impact
Potential consequences of exploitation include:
- Complete device takeover (root shell)
- Tampering with routing, forwarding functions
- Installation of persistent malware
- Disruption of network operations
- Use of compromised devices as lateral pivot points
This vulnerability’s combination of remote access, unauthenticated exploitability, and root execution places it among the highest security risks for infrastructure operators.
Mitigation Recommendations
- Upgrade affected Junos OS Evolved versions to fixed releases (25.4R1-S1-EVO / 25.4R2-EVO or later).
- Audit access controls to restrict exposure of internal services.
- Harden network segments where management or anomaly-detection services reside.
- Monitor logs and device telemetry for unusual access attempts or unexpected service interactions.
- Apply network segmentation and firewall policies to limit service reachability.
Timely patching and strict perimeter control will significantly reduce exploitation likelihood.
Broader Context
CVE-2026-21902 is part of an ongoing series of Juniper security advisories addressing multiple vulnerabilities affecting Junos OS and Junos OS Evolved components across platforms including SRX, MX, PTX and others. These advisories highlight the wide variety of issues ranging from denial-of-service (DoS) to remote code execution and privilege escalation.
Summary
CVE-2026-21902 represents a critical remote root execution vulnerability in Junos OS Evolved on PTX Series routers. Its unauthenticated network-based exploitability coupled with default enabled services underscores the importance of rapid patching and hardened deployment practices in modern networking environments.
Stay current with vendor advisories and prioritize updates for devices exposed to untrusted networks.
