Overview
- CVE-2026-21902 is a CVSS 9.8 vulnerability in the On-Box Anomaly Detection framework that exposes an externally reachable port and allows unauthenticated code execution as root.
- The issue affects only PTX Series routers running Junos OS Evolved, while standard Junos OS and other Juniper families are not impacted.
- Juniper released fixed builds 25.4R1-S1-EVO, 25.4R2-EVO, and 26.2R1-EVO, addressing versions previously vulnerable on PTX hardware.
- The vulnerable service runs as root and is enabled by default, so Juniper advises immediate upgrades or, if delayed, restricting access via ACLs or firewall filters or disabling the service with 'request pfe anomalies disable'.
- Juniper’s SIRT reports no evidence of in-the-wild exploitation, yet the potential impact is high because PTX devices anchor ISP backbones, data center interconnects, and carrier networks.