Sometimes, You Can Just Feel The Security In The Design (Juniper Junos Evolved CVE-2026-21902 Pre-Auth RCE)

CVE-2026-21902 is a critical (CVSS 9.8) pre-authentication remote code execution vulnerability in Juniper's Junos OS Evolved on PTX Series routers. The On-Box Anomaly Detection Framework, a Python-based REST API running as root on port 8160/TCP, is supposed to be restricted to internal interfaces but actually binds to 0.0.0.0. An unauthenticated attacker can exploit the API by creating a command with type RE-SHELL, wrapping it in a DAG and DAG instance, then committing it — causing the schedule_enforcer to pass the attacker-controlled syntax string directly to subprocess.run() with shell=True, achieving root-level code execution. A proof-of-concept detection tool is available on GitHub.