T

Threats

Multiple Juniper Junos Vulnerabilities

Overview

  • Advisory Date: 9 July 2026

  • Vendor: Juniper

  • Affected Products: Junos OS, Junos OS Evolved, Junos Space, cRPD, Network Director, CTPView


Summary

Juniper Networks released its July 2026 security bulletin bundle on 9 July 2026, covering 27 advisories across Junos OS, Junos OS Evolved, Junos Space, cRPD, Network Director, and CTPView - 23 individual CVEs plus 4 bundled product advisories. The majority are denial-of-service (crash) conditions that require specific hardware, configurations, or platform modes, and there is no known active exploitation of any issue in this bundle at the time of writing.

The most relevant items for most organisations are the access-control and security-control weaknesses on SRX firewalls/VPNs and EX switches, which we detail first; the remaining routing and control-plane fixes and management-product bundles should be applied as part of normal Junos maintenance.


Affected Versions

Juniper has released patched versions for each affected product. Key affected platforms include:

  • Junos OS on SRX Series, MX Series (with SPC3), EX Series, QFX Series

  • Junos OS Evolved on PTX Series, QFX Series

  • Junos Space (prior to 26.1R1 Patch V1)

  • cRPD (prior to 26.2R1)

  • Network Director (prior to 7.1R3)

  • CTPView (prior to 9.3R2-3)


Featured Vulnerabilities

These are the highest-value items for most organisations: the access-control and security-control weaknesses on SRX firewalls/VPNs and EX switches. Prioritise these for assessment and patching.

Access & Security-Control Weaknesses

CVE-2026-33802 - Unauthorised Service-Impacting CLI Command, EX Series (JSA110077)

  • Type: Unauthorised access / privilege issue

  • Severity: Medium

  • Description: A low-privileged, authenticated user can execute a service-impacting CLI command on EX Series switches.

  • Impact: Service disruption triggered by accounts that should not have that capability.

  • Conditions: Requires an authenticated low-privilege account.

CVE-2026-57054 - Web Filtering URL Bypass, MX Series (JSA110093)

  • Type: Security-control bypass

  • Severity: Medium

  • Description: Web filtering fails to block specifically formatted URLs.

  • Impact: Users can reach content that policy is meant to block.

  • Conditions: Web filtering configured on MX Series.

CVE-2026-57028 / CVE-2026-33803 - Inadvertently Exposed Port Reachable by an Attacker, Junos OS Evolved (JSA110088 / JSA110078)

  • Type: Exposure / unauthorised reachability

  • Severity: High

  • Description: A port that has been inadvertently exposed can be reached by an attacker. The two CVEs cover different affected version ranges.

  • Impact: Potential unauthorised access to services that should not be externally reachable.

  • Conditions: Affected Junos OS Evolved versions.


SRX Firewall / VPN Denial of Service

CVE-2026-57021 - VPN Compliance-Check http-gk Crash, SRX Series (JSA110081)

  • Type: Denial of Service

  • Severity: High

  • Description: With VPN compliance-check configured, an attacker can crash the http-gk process.

  • Impact: VPN service disruption.

  • Conditions: VPN compliance-check must be configured.

CVE-2026-57024 - VPN Negotiation Failure iked Crash, MX (SPC3) / SRX (JSA110084)

  • Type: Denial of Service

  • Severity: High

  • Description: Repeated VPN negotiation failures eventually cause iked to crash continuously.

  • Impact: Inability to establish new VPN connections.

  • Conditions: Repeated VPN negotiation failures.

CVE-2026-57030 - Flow Session Exhaustion DoS, SRX Series (JSA110090)

  • Type: Denial of Service

  • Severity: High

  • Description: Flow sessions are not cleared, leading to resource exhaustion and denial of service.

  • Impact: Traffic forwarding failure.

  • Conditions: Sustained traffic without session cleanup.

CVE-2026-57023 - Malformed TCP Packet flowd Crash, MX (SPC3) / SRX (JSA110083)

  • Type: Denial of Service

  • Severity: High

  • Description: A specifically malformed TCP packet causes a flowd crash.

  • Impact: Flow processing and traffic forwarding disruption.

  • Conditions: Unauthenticated, network-based attacker.

CVE-2026-57022 - TCP Connection PFE Crash, MX (SPC3) / SRX (JSA110082)

  • Type: Denial of Service

  • Severity: High

  • Description: A specific packet sent in response to a TCP connection establishment can crash the PFE.

  • Impact: Packet forwarding engine crash and traffic disruption.

  • Conditions: Unauthenticated, network-based attacker.

CVE-2026-57026 - Malformed SIP Invite flowd Crash, MX (SPC3) / SRX (JSA110086)

  • Type: Denial of Service

  • Severity: High

  • Description: Processing of a specifically malformed SIP invite causes a flowd crash.

  • Impact: Flow processing disruption.

  • Conditions: Unauthenticated attacker; SIP ALG processing.


EX Switching

CVE-2026-57027 - sFlow Multicast FPC Crash, EX4100 / EX4400 (JSA110087)

  • Type: Denial of Service

  • Severity: High

  • Description: With sFlow configured in a Virtual Chassis scenario, multicast traffic leads to an FPC crash.

  • Impact: Line-card crash and traffic disruption.

  • Conditions: sFlow configured in a VC scenario with multicast traffic.

CVE-2026-57032 - Telemetry Sensor fxpc Crash, EX Series (JSA110092)

  • Type: Denial of Service

  • Severity: Medium

  • Description: Subscribing to an unsupported telemetry sensor path causes the fxpc process to crash.

  • Impact: fxpc process crash.

  • Conditions: Authenticated user subscribing to an unsupported telemetry sensor path.


Additional Fixes (Secondary - patch in your normal maintenance cycle)

The following issues are lower urgency for most organisations. They are largely conditional denial-of-service conditions on core and provider-edge routing platforms, or bundled fixes in Juniper management products. All remain listed for completeness - apply them as part of your normal Junos maintenance cycle.

Routing & control-plane denial of service (Junos OS / Junos OS Evolved):

  • CVE-2026-33799 - Specific SNMPv3 request causes snmpd memory leak and crash (JSA110074)

  • CVE-2026-21901 - Specific SSH option configuration causes mgd crash (JSA110072)

  • CVE-2026-33801 - Malformed BGP route update causes rpd crash (JSA110076)

  • CVE-2026-57025 - Specific 'show l2-learning' command causes l2ald crash; EX / QFX / MX (JSA110085)

  • CVE-2026-57029 - sFlow collector reachability change causes evo-pfemand crash; QFX Evolved (JSA110089)

  • CVE-2026-33800 - High rate of micro-BFD session flaps causes FPC crash in a VC; MX (JSA110075)

  • CVE-2026-57019 - Specific traffic causes an FPC to reset; MX (JSA110079)

  • CVE-2026-33794 - Repeated ECMP routing updates cause PFE crash; PTX Evolved (JSA110073)

  • CVE-2026-57020 - IPv6 multicast on non-IRB interfaces causes a multicast flood; QFX10000 (JSA110080)

  • CVE-2026-57031 - Input filters not applied for subscribers on static interfaces; MX (JSA110091)

Legacy fix (Junos OS Evolved):

  • CVE-2020-7450 - Heap buffer overflow in libfetch via crafted URLs. This carries the highest CVSS in the bundle (9.8) but is a legacy FreeBSD issue affecting Junos OS Evolved only and requires processing of specially crafted URLs (JSA110068).

Bundled management-product advisories (update to the fixed release):


Mitigation

  • Update all affected Junos OS and Junos OS Evolved devices to the latest patched releases as specified in each JSA advisory

  • Update Junos Space to 26.1R1 Patch V1 or later

  • Update cRPD to 26.2R1 or later

  • Update Network Director to 7.1R3 or later

  • Update CTPView to 9.3R2-3 or later

  • Review network configurations for exposed ports on Junos OS Evolved devices

  • Audit sFlow and BFD configurations on affected platforms

  • Verify VPN compliance-check configurations on SRX Series devices

  • Implement network-level filtering where immediate patching is not possible


Summary for IT Teams

  • Products: Junos OS, Junos OS Evolved, Junos Space, cRPD, Network Director, CTPView (SRX, MX, EX, QFX and PTX Series)

  • Threat Level: High - highest CVSS 9.8 (legacy libfetch flaw, Junos OS Evolved only); the majority are conditional denial-of-service issues, with no known active exploitation at the time of writing.

  • Action Required: Apply the latest patched Junos OS and Junos OS Evolved releases per each JSA, prioritising the SRX firewall/VPN and EX switch issues plus the access-control (CVE-2026-33802) and web-filtering (CVE-2026-57054) weaknesses. Update Junos Space to 26.1R1 Patch V1, cRPD to 26.2R1, Network Director to 7.1R3 and CTPView to 9.3R2-3. Where immediate patching is not possible, restrict management-plane exposure and apply network-level filtering. If you do not run Juniper at the network edge, this bundle is low urgency.


Need help?

Please get in touch on 1300 769 460 or email us. We are here to help you strengthen your cybersecurity posture.

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.