Vulnerabilities

Thousands of Juniper Appliances Vulnerable to New Exploit 

VulnCheck details a new fileless exploit targeting a recent Junos OS vulnerability that thousands of devices have not been patched against.

VulnCheck details a new fileless exploit targeting a recent Junos OS vulnerability that thousands of devices have not been patched against.

Threat intelligence firm VulnCheck has published details on a new exploit targeting a recent Junos OS vulnerability and says that thousands of Juniper Networks appliances that have not been patched are at risk.

The flaw, tracked as CVE-2023-36845, is described as a PHP environment variable manipulation issue in the J-Web interface of Juniper’s SRX series firewalls and EX series switches running specific Junos OS versions.

In mid-August, the networking appliances maker released patches for this bug and three other medium-severity issues, warning that an attacker could chain them to achieve remote code execution (RCE) on a vulnerable device, and that the exploit chain should be considered as having a ‘critical severity’ rating.

Roughly one week after Juniper’s patches and following the release of a proof-of-concept (PoC) exploit chaining two of the vulnerabilities, the first malicious attacks targeting the flaws were observed.

Now, VulnCheck says it has developed a new exploit that targets CVE-2023-36845 only, and which leads to RCE without chaining with other bugs.

What’s more, the threat intelligence firm says that the exploit allows an unauthenticated attacker to execute code without creating a file on the vulnerable Juniper appliance’s system, and that most of the internet-exposed Juniper devices remain vulnerable, as they have not been patched yet.

Advertisement. Scroll to continue reading.

In devising the fileless attack, VulnCheck used as a research base the previously released PoC exploit, which relied on uploading two files to the vulnerable appliance to achieve RCE.

VulnCheck discovered that it could leak sensitive information and achieve remote code execution via an HTTP request, by abusing legitimate FreeBSD functions (the vulnerable devices run FreeBSD) and without dropping a single file on the system.

“Just like that, by only using CVE-2023-36845, we’ve achieved unauthenticated and remote code execution without actually dropping a file on disk. Our private exploit establishes a reverse shell, but that’s quite trivial once you’ve reached this point,” VulnCheck notes.

To check the number of potentially affected devices that are exposed to the internet, VulnCheck performed a Shodan search, which returned roughly 15,000 results. An analysis of approximately 3,000 of these devices showed that 79% are not patched against CVE-2023-36845.

“Firewalls are interesting targets to APT as they help bridge into the protected network and can serve as useful hosts for [command-and-control] infrastructure. Anyone who has an unpatched Juniper firewall should examine it for signs of compromise,” VulnCheck notes.

Related: Juniper Networks Patches High-Severity Vulnerabilities in Junos OS

Related: Juniper Networks Patches Critical Third-Party Component Vulnerabilities

Related: Juniper Networks Kicks Off 2023 With Patches for Over 200 Vulnerabilities

Related Content

Ransomware

The Microsoft Defender vulnerability CVE-2026-33825 was exploited in the wild as a zero-day before patches were released.

Vulnerabilities

The critical-severity defect allows unauthenticated attackers to take over the E-Business Suite’s Payments product.

Malware & Threats

The threat actor is focused on collecting credentials, SSH keys, cryptocurrency wallets, and development tooling.

ICS/OT

CISA has added the remote code execution flaw CVE-2026-12569 to its Known Exploited Vulnerabilities catalog.

ICS/OT

The exploited flaw, CVE-2025-67038, is one of the vulnerabilities disclosed in April as part of the BRIDGE:BREAK research project.

Vulnerabilities

CVE-2026-20245, the 7th Cisco SD-WAN vulnerability exploited in 2026, was used for months prior to its disclosure and patching.

Vulnerabilities

The flaws allow remote, unauthenticated attackers to make system changes, access underlying accounts, and inject commands.

Network Security

Cisco noted that a PoC had been available for CVE-2026-20230 when it announced patches in early June.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version