Juniper Junos OS has six KEV entries and two separate attack surfaces
Five CVSS 5.3 bugs in J-Web that chain to unauthenticated RCE, and a kernel isolation flaw exploited by a China-nexus actor to root MX routers. The scoring gap on the first cluster is the operational lesson.
Six entries in CISA’s Known Exploited Vulnerabilities catalog for a single operating system is not a coincidence. What makes Juniper’s count interesting is that the six don’t come from one bad component or one bad quarter. They come from two structurally different attack surfaces, exploited by two different threat actor categories, nearly two years apart. That separation is worth pulling apart, because the lesson from each cluster is different.
The obvious read
The headline version: Juniper EX switches and SRX firewalls had a set of J-Web vulnerabilities in 2023 that required patching, CISA flagged them, and then in 2025 a more sophisticated actor exploited a kernel flaw to install rootkits on MX routers. Two bad years, patch and move on.
That read is technically accurate and operationally incomplete.
The 2023 cluster: five medium scores, one critical chain
On August 19, 2023, Juniper published advisory JSA72300, disclosing five vulnerabilities in the J-Web component of Junos OS. Five CVEs: CVE-2023-36844 and CVE-2023-36845 (PHP external variable modification), CVE-2023-36846 and CVE-2023-36847 (missing auth for critical function on SRX and EX Series respectively), and CVE-2023-36851 (missing auth for critical function on SRX). Every individual CVSS score: 5.3.
The chained CVSS: 9.8.
watchTowr Labs published a working PoC on August 25, 2023, six days after the advisory. The chain only needs two of the five bugs: CVE-2023-36846 allows an unauthenticated attacker to upload an arbitrary file to the HTTPD jail, and CVE-2023-36845 allows that same attacker to modify PHP environment variables, causing the interpreter to execute the uploaded file. Unauthenticated RCE, no credentials required, reachable from the network. The Shadowserver Foundation reported active exploitation attempts the same day the PoC dropped.
CISA added all five to the KEV catalog on November 13, 2023, with a remediation deadline of November 17: four days. That compression is CISA signaling urgency it rarely voices that directly.
The more interesting detail is the scoring gap. A team filtering its vulnerability backlog by “CVSS 7.0 or above” would have deprioritized all five of these and been blind to the actual risk. Each bug, scored in isolation, is a medium. Together, they are pre-authentication RCE on a firewall or switch. The standard CVSS-threshold filter failed here not because it was applied wrong, but because individual-vulnerability scoring was the wrong unit of analysis. Rapid7’s exploitation report from August 31 captures the window between advisory and active exploitation: roughly six days.
The workaround Juniper published alongside the advisory was the right call regardless of patch status: disable J-Web, or restrict it to trusted hosts only. J-Web is a management interface. It has no business being reachable from untrusted networks. That sentence applies equally to Cisco ASDM, Palo Alto’s management plane, and Ivanti Connect Secure’s J-Web equivalent. Management interfaces on internet-accessible surfaces keep producing pre-auth RCE chains because they are not designed to withstand adversarial input from arbitrary sources, and the J-Web cluster is one more data point in that pattern.
The 2025 entry: a different surface, a different problem
CVE-2025-21590 is an improper isolation or compartmentalization vulnerability in the Junos OS kernel, scored 6.7. An attacker with local shell access and high privileges can inject arbitrary code into the memory of a legitimate running process, circumventing Veriexec, Juniper’s kernel-level code-signing and execution control mechanism. The vulnerability is not exploitable from the Junos CLI; it requires shell-level access to the device.
CISA added CVE-2025-21590 on March 13, 2025.
The attribution context comes from Mandiant’s March 2025 research, which documented UNC3886, a China-nexus espionage group, deploying custom tooling on Juniper MX routers. The campaign started in mid-2024. The post-exploitation toolkit included TINYSHELL (a backdoor with active and passive modes), the REPTILE and MEDUSA rootkits, a SEAELF persistence loader, a custom SSH server designed to capture credentials by hijacking legitimate SSH authentications, and GHOSTTOWN, an anti-forensics package intended to obscure the presence of the other tools. Targeted sectors: defense, telecommunications, and technology in the US and Asia.
A critical detail buried in the technical reporting: many of the affected devices were running end-of-life hardware and software. The Hacker News coverage noted EoL explicitly. For those devices, CVE-2025-21590 is one dimension of a larger problem that vendor patching cannot solve. There will be no patches for the next vulnerability on hardware the vendor no longer supports.
What the two clusters tell you about prioritization
The J-Web cluster and the kernel cluster require different prioritization logic, and conflating them produces the wrong actions.
For J-Web: the threat is external, unauthenticated, and fast-moving. The PoC-to-exploitation window was measured in days. The right filter here is not CVSS score, it is exposure configuration. If J-Web was reachable from untrusted networks on August 19, 2023, the question was not “when can we patch this?” but “how fast can we cut access?” An org that had already restricted J-Web to management VLANs had a fundamentally different exposure than one that hadn’t, regardless of patch timeline. The five CVE cluster is the clearest argument in the Juniper record for treating management interface exposure as a standing configuration requirement, not a response to a specific advisory.
For the kernel: the threat is post-compromise. CVE-2025-21590 requires shell access, which means by the time UNC3886 used it, they were already inside the box. The kernel vulnerability enabled persistence and anti-forensic capability; it was not the initial entry vector. Patching CVE-2025-21590 removes one persistence mechanism but does not answer the more consequential question of how the actor got shell access in the first place. An MX router that was not running EoL hardware, was not running J-Web on an untrusted interface, and had credential hygiene applied to its management plane had a materially different risk profile than one that didn’t. The CVSS 6.7 score on CVE-2025-21590 reflects the local, high-privilege requirement accurately; what it can’t reflect is that the actor already cleared those prerequisites before the KEV listing existed.
What to watch
The EoL hardware dimension of the 2025 campaign is the part that doesn’t resolve with a patch cycle. If your Juniper MX infrastructure is on hardware past end-of-life, the next vulnerability will have the same answer as CVE-2025-21590 for that hardware: upgrade the platform, not the software. The pattern in the UNC3886 campaign, targeting specifically EoL gear, suggests the actor had already identified which devices would never close the gap.
The J-Web pattern is more predictable. When another management-interface RCE chain appears in a network appliance (and it will), the time between advisory, PoC, and exploitation will again be measured in days or less. The variable that determines your exposure window is not how fast you can patch; it is whether the surface was network-accessible to begin with. That decision was made long before the CVE existed.
PatchDayAlert tracks Juniper advisories as they land, with KEV status and affected version ranges in the daily digest, so the question of which trains are exposed is already answered before the change window opens.
Sources
- watchTowr Labs: CVE-2023-36844 And Friends: RCE in Juniper Devices — 2023-08-25
- NVD: CVE-2023-36844 — 2023
- CISA: Adds Six Known Exploited Vulnerabilities to Catalog — 2023-11-13
- Rapid7 ETR: Exploitation of Juniper Networks SRX Series and EX Series Devices — 2023-08-31
- Tenable: CVE-2025-21590 — 2025
- SecurityScorecard: CVE-2025-21590 Added to CISA KEV — 2025-03-13
- Mandiant / Google Cloud Blog: Ghost in the Router — China-Nexus Espionage Actor UNC3886 Targets Juniper Routers — 2025-03
- The Hacker News: Chinese Hackers Breach Juniper Networks Routers With Custom Backdoors and Rootkits — 2025-03
Share
Related field notes
-
The Cisco IOS XE reboot that wasn't remediation
Patching CVE-2023-20198 and rebooting the box clears the web shell but leaves the rogue admin account behind. If you ran one IOS XE web UI on the public internet in late 2023, you have an account audit to do before you close the ticket.
-
Sophos has seven CISA KEV entries. Five hit the same management interface.
The User Portal and Webadmin surface runs through SQL injection, buffer overflow, authentication bypass, and code injection across five years. Chinese state actors exploited several of them as zero-days, and the exploitation often started before Sophos knew about the bugs.
-
A crash got a federal patch deadline. Here's why that's the right call
CVE-2026-28318 is a 7.5 denial-of-service bug in SolarWinds Serv-U, the kind that usually waits. CISA listed it on KEV two days after the fix shipped. The prioritization logic behind that is the story.
Get the free CVE triage cheat sheet
Subscribe and we'll email you the one-page triage flow for fresh CVEs. Plus the weekly digest.
Subscribe