T
Threats
Multiple Juniper Junos Vulnerabilities

Overview
Advisory Date: 9 July 2026
Vendor: Juniper
Affected Products: Junos OS, Junos OS Evolved, Junos Space, cRPD, Network Director, CTPView
Summary
Juniper Networks released its July 2026 security bulletin bundle on 9 July 2026, covering 27 advisories across Junos OS, Junos OS Evolved, Junos Space, cRPD, Network Director, and CTPView - 23 individual CVEs plus 4 bundled product advisories. The majority are denial-of-service (crash) conditions that require specific hardware, configurations, or platform modes, and there is no known active exploitation of any issue in this bundle at the time of writing.
The most relevant items for most organisations are the access-control and security-control weaknesses on SRX firewalls/VPNs and EX switches, which we detail first; the remaining routing and control-plane fixes and management-product bundles should be applied as part of normal Junos maintenance.
Affected Versions
Juniper has released patched versions for each affected product. Key affected platforms include:
Junos OS on SRX Series, MX Series (with SPC3), EX Series, QFX Series
Junos OS Evolved on PTX Series, QFX Series
Junos Space (prior to 26.1R1 Patch V1)
cRPD (prior to 26.2R1)
Network Director (prior to 7.1R3)
CTPView (prior to 9.3R2-3)
Featured Vulnerabilities
These are the highest-value items for most organisations: the access-control and security-control weaknesses on SRX firewalls/VPNs and EX switches. Prioritise these for assessment and patching.
Access & Security-Control Weaknesses
CVE-2026-33802 - Unauthorised Service-Impacting CLI Command, EX Series (JSA110077)
Type: Unauthorised access / privilege issue
Severity: Medium
Description: A low-privileged, authenticated user can execute a service-impacting CLI command on EX Series switches.
Impact: Service disruption triggered by accounts that should not have that capability.
Conditions: Requires an authenticated low-privilege account.
CVE-2026-57054 - Web Filtering URL Bypass, MX Series (JSA110093)
Type: Security-control bypass
Severity: Medium
Description: Web filtering fails to block specifically formatted URLs.
Impact: Users can reach content that policy is meant to block.
Conditions: Web filtering configured on MX Series.
CVE-2026-57028 / CVE-2026-33803 - Inadvertently Exposed Port Reachable by an Attacker, Junos OS Evolved (JSA110088 / JSA110078)
Type: Exposure / unauthorised reachability
Severity: High
Description: A port that has been inadvertently exposed can be reached by an attacker. The two CVEs cover different affected version ranges.
Impact: Potential unauthorised access to services that should not be externally reachable.
Conditions: Affected Junos OS Evolved versions.
SRX Firewall / VPN Denial of Service
CVE-2026-57021 - VPN Compliance-Check http-gk Crash, SRX Series (JSA110081)
Type: Denial of Service
Severity: High
Description: With VPN compliance-check configured, an attacker can crash the http-gk process.
Impact: VPN service disruption.
Conditions: VPN compliance-check must be configured.
CVE-2026-57024 - VPN Negotiation Failure iked Crash, MX (SPC3) / SRX (JSA110084)
Type: Denial of Service
Severity: High
Description: Repeated VPN negotiation failures eventually cause iked to crash continuously.
Impact: Inability to establish new VPN connections.
Conditions: Repeated VPN negotiation failures.
CVE-2026-57030 - Flow Session Exhaustion DoS, SRX Series (JSA110090)
Type: Denial of Service
Severity: High
Description: Flow sessions are not cleared, leading to resource exhaustion and denial of service.
Impact: Traffic forwarding failure.
Conditions: Sustained traffic without session cleanup.
CVE-2026-57023 - Malformed TCP Packet flowd Crash, MX (SPC3) / SRX (JSA110083)
Type: Denial of Service
Severity: High
Description: A specifically malformed TCP packet causes a flowd crash.
Impact: Flow processing and traffic forwarding disruption.
Conditions: Unauthenticated, network-based attacker.
CVE-2026-57022 - TCP Connection PFE Crash, MX (SPC3) / SRX (JSA110082)
Type: Denial of Service
Severity: High
Description: A specific packet sent in response to a TCP connection establishment can crash the PFE.
Impact: Packet forwarding engine crash and traffic disruption.
Conditions: Unauthenticated, network-based attacker.
CVE-2026-57026 - Malformed SIP Invite flowd Crash, MX (SPC3) / SRX (JSA110086)
Type: Denial of Service
Severity: High
Description: Processing of a specifically malformed SIP invite causes a flowd crash.
Impact: Flow processing disruption.
Conditions: Unauthenticated attacker; SIP ALG processing.
EX Switching
CVE-2026-57027 - sFlow Multicast FPC Crash, EX4100 / EX4400 (JSA110087)
Type: Denial of Service
Severity: High
Description: With sFlow configured in a Virtual Chassis scenario, multicast traffic leads to an FPC crash.
Impact: Line-card crash and traffic disruption.
Conditions: sFlow configured in a VC scenario with multicast traffic.
CVE-2026-57032 - Telemetry Sensor fxpc Crash, EX Series (JSA110092)
Type: Denial of Service
Severity: Medium
Description: Subscribing to an unsupported telemetry sensor path causes the fxpc process to crash.
Impact: fxpc process crash.
Conditions: Authenticated user subscribing to an unsupported telemetry sensor path.
Additional Fixes (Secondary - patch in your normal maintenance cycle)
The following issues are lower urgency for most organisations. They are largely conditional denial-of-service conditions on core and provider-edge routing platforms, or bundled fixes in Juniper management products. All remain listed for completeness - apply them as part of your normal Junos maintenance cycle.
Routing & control-plane denial of service (Junos OS / Junos OS Evolved):
CVE-2026-33799 - Specific SNMPv3 request causes snmpd memory leak and crash (JSA110074)
CVE-2026-21901 - Specific SSH option configuration causes mgd crash (JSA110072)
CVE-2026-33801 - Malformed BGP route update causes rpd crash (JSA110076)
CVE-2026-57025 - Specific 'show l2-learning' command causes l2ald crash; EX / QFX / MX (JSA110085)
CVE-2026-57029 - sFlow collector reachability change causes evo-pfemand crash; QFX Evolved (JSA110089)
CVE-2026-33800 - High rate of micro-BFD session flaps causes FPC crash in a VC; MX (JSA110075)
CVE-2026-57019 - Specific traffic causes an FPC to reset; MX (JSA110079)
CVE-2026-33794 - Repeated ECMP routing updates cause PFE crash; PTX Evolved (JSA110073)
CVE-2026-57020 - IPv6 multicast on non-IRB interfaces causes a multicast flood; QFX10000 (JSA110080)
CVE-2026-57031 - Input filters not applied for subscribers on static interfaces; MX (JSA110091)
Legacy fix (Junos OS Evolved):
CVE-2020-7450 - Heap buffer overflow in libfetch via crafted URLs. This carries the highest CVSS in the bundle (9.8) but is a legacy FreeBSD issue affecting Junos OS Evolved only and requires processing of specially crafted URLs (JSA110068).
Bundled management-product advisories (update to the fixed release):
Junos Space → 26.1R1 Patch V1 (JSA110070)
cRPD → 26.2R1 (JSA110071)
Network Director → 7.1R3 (JSA110069)
CTPView → 9.3R2-3 (JSA110067)
Mitigation
Update all affected Junos OS and Junos OS Evolved devices to the latest patched releases as specified in each JSA advisory
Update Junos Space to 26.1R1 Patch V1 or later
Update cRPD to 26.2R1 or later
Update Network Director to 7.1R3 or later
Update CTPView to 9.3R2-3 or later
Review network configurations for exposed ports on Junos OS Evolved devices
Audit sFlow and BFD configurations on affected platforms
Verify VPN compliance-check configurations on SRX Series devices
Implement network-level filtering where immediate patching is not possible
Summary for IT Teams
Products: Junos OS, Junos OS Evolved, Junos Space, cRPD, Network Director, CTPView (SRX, MX, EX, QFX and PTX Series)
Threat Level: High - highest CVSS 9.8 (legacy libfetch flaw, Junos OS Evolved only); the majority are conditional denial-of-service issues, with no known active exploitation at the time of writing.
Action Required: Apply the latest patched Junos OS and Junos OS Evolved releases per each JSA, prioritising the SRX firewall/VPN and EX switch issues plus the access-control (CVE-2026-33802) and web-filtering (CVE-2026-57054) weaknesses. Update Junos Space to 26.1R1 Patch V1, cRPD to 26.2R1, Network Director to 7.1R3 and CTPView to 9.3R2-3. Where immediate patching is not possible, restrict management-plane exposure and apply network-level filtering. If you do not run Juniper at the network edge, this bundle is low urgency.
Need help?
Please get in touch on 1300 769 460 or email us. We are here to help you strengthen your cybersecurity posture.
