CVE-2026-21902 is a critical security vulnerability classified under CWE-732 (Incorrect Permission Assignment for Critical Resource) affecting Juniper Networks Junos OS Evolved running on PTX Series routers, specifically versions 25.4 prior to 25.4R1-S1-EVO and 25.4R2-EVO. The vulnerability exists in the On-Box Anomaly detection framework, a component designed to monitor and detect network anomalies internally via the internal routing instance. However, due to incorrect permission assignments, this service is exposed on an externally reachable port by default, contrary to its intended design. This exposure allows an unauthenticated attacker to remotely access the anomaly detection service and execute arbitrary code with root privileges. The lack of authentication and the network-based attack vector significantly increase the risk and ease of exploitation. Successful exploitation results in full control over the affected device, compromising confidentiality, integrity, and availability. The vulnerability does not affect Junos OS versions prior to 25.4R1-EVO or other Junos OS variants. No known exploits are currently reported in the wild, but the critical CVSS score of 9.8 highlights the urgent need for remediation. The root cause is improper permission configuration that fails to restrict access to the anomaly detection framework, exposing a critical internal service externally.

The impact of CVE-2026-21902 is severe for organizations deploying Juniper PTX Series routers running the affected Junos OS Evolved versions. An attacker exploiting this vulnerability can gain root-level code execution remotely without authentication, effectively taking full control of the device. This can lead to complete network disruption, interception or manipulation of network traffic, unauthorized configuration changes, and persistent backdoors within critical network infrastructure. Given that PTX Series routers are often deployed in core network environments for service providers and large enterprises, exploitation could result in widespread service outages and compromise of sensitive data traversing these devices. The vulnerability undermines the trustworthiness and reliability of network infrastructure, potentially impacting confidentiality, integrity, and availability on a large scale. The ease of exploitation and lack of required user interaction make this a high-risk threat that could be leveraged in targeted attacks or automated campaigns once exploit code becomes available.

To mitigate CVE-2026-21902, organizations should immediately upgrade affected Junos OS Evolved PTX Series devices to versions 25.4R1-S1-EVO, 25.4R2-EVO, or later where the vulnerability is patched. Until patches are applied, network administrators should restrict access to the On-Box Anomaly detection framework by implementing strict firewall rules or access control lists (ACLs) that block external access to the service ports. Verify and enforce that the anomaly detection framework is only reachable via the internal routing instance as intended. Disable the On-Box Anomaly detection framework if it is not essential for operational needs. Regularly audit device configurations to ensure no unintended exposure of internal services. Monitor network traffic and device logs for suspicious activity indicative of exploitation attempts. Additionally, consider segmenting management and control plane traffic from general network traffic to reduce exposure. Engage with Juniper Networks support for guidance and to confirm remediation status. Maintain an incident response plan tailored to network infrastructure compromise scenarios.