Introduction
A symlink following flaw in the Juniper Networks Junos OS CLI lets a low privileged local user quietly plant the conditions for root access, with the actual escalation triggered unknowingly by a second user committing routine configuration changes. Given Juniper's position as the second largest vendor in core routers (25% market share) and enterprise firewalls (24.8%), this vulnerability, tracked as CVE-2026-21916, has the potential to affect a significant number of production network environments worldwide.
Technical Information
CVE-2026-21916 is classified under CWE-61: UNIX Symbolic Link (Symlink) Following. The root cause lies in how the Junos OS CLI processes the file link operation and how the system resolves symbolic links during configuration commit workflows.
Root Cause
The Junos OS CLI exposes a file link command that allows users to create symbolic links on the filesystem. The vulnerability exists because the commit process, when executed by any user, resolves symbolic links created by other users in a privileged context. Specifically, the symlink resolution during a commit operation inherits elevated (root) privileges rather than being scoped to the permissions of the user who originally created the link. This is a classic symlink following flaw: a low privileged user creates a symlink pointing to a sensitive location, and a privileged process (the commit handler) follows it without verifying the originating user's authorization.
Attack Flow
The exploitation of CVE-2026-21916 follows a specific, multi step sequence involving two distinct users:
-
Symlink Creation: A local, authenticated attacker with low privileges logs into the Junos OS CLI and executes a specific
file link ...command. This creates a symbolic link on the filesystem. The exact target of the symlink is crafted to facilitate privilege escalation. -
Waiting for a Commit: The attacker does not need to perform any further action. They simply wait for any other authenticated user on the same system to commit a configuration change. This commit can be entirely unrelated to the attacker's symlink operation.
-
Privilege Escalation: When the second user commits their configuration changes, the Junos OS commit process follows the attacker's symbolic link in a privileged (root) context. This improperly resolves the symlink with elevated permissions, modifying the system state in a way that grants the original attacker root access.
-
Root Login: After the commit completes, the original low privileged attacker can now log in as root, achieving complete system compromise.
This cross user interaction requirement is notable. The attacker does not need to compromise or coordinate with the second user; they simply need to operate in a shared environment where configuration commits happen routinely, which is the norm in most operational network teams.
CVSS Scoring
The vulnerability has been scored across multiple CVSS standards:
| Metric Standard | Base Score | Severity | Vector String |
|---|---|---|---|
| CVSS 4.0 | 7.0 | High | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L |
| CVSS 3.1 | 7.3 | High | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
| CVSS 2.0 | 6.8 | Medium | CVSS2:L/AC:L/Au:S/C:C/I:C/A:C |
The local access vector and the requirement for user interaction from a secondary account reduce the exploitability subscore, but the impact on confidentiality, integrity, and availability is rated as High across the board. The Tenable VPR score of 8.4 (High) further reflects the elevated risk profile.
Patch Information
Juniper Networks addressed CVE-2026-21916 through firmware level patches released on April 8, 2026, as part of their quarterly security bulletin cycle. The fix is documented in Juniper Security Advisory JSA107807 and internally tracked under PR1865633.
The patch closes the privilege escalation gap by ensuring that symlink resolution during the commit process no longer inherits or escalates privileges beyond what the originating user holds. This directly addresses the CWE-61 root cause.
Juniper released fixes across the following supported Junos OS release trains:
| Release Train | Fixed Version |
|---|---|
| 23.2 | 23.2R2-S7 and later |
| 23.4 | 23.4R2-S6 and later |
| 24.2 | 24.2R2-S3 and later |
| 24.4 | 24.4R2-S2 and later |
| 25.2 | 25.2R2 and later |
| 25.4+ | Not affected (25.4R1 and all subsequent releases) |
All versions prior to the fixed releases across each respective train are vulnerable. This includes legacy branches that have reached End of Engineering (EOE) or End of Life (EOL), which Juniper does not evaluate or patch. Organizations running older branches should prioritize upgrading to a supported and patched train.
The fact that the 25.4 release train was never affected suggests the vulnerable code path was already refactored or redesigned in that branch before the flaw was identified. This is a useful data point for organizations evaluating whether to move to a newer major release.
For environments where an immediate software upgrade is not feasible, Juniper recommends restricting access controls to prevent users from performing file link operations on the CLI as a temporary workaround. This neutralizes the initial condition required for the exploit chain. However, this should only be treated as a stopgap; the definitive fix is applying one of the patched Junos OS releases listed above.
Detection Methods
Nessus Plugin
The most readily available and verified detection method is the Tenable Nessus plugin (ID 305598), released on April 8, 2026, under the "Junos Local Security Checks" family. This plugin, contained in the file juniper_jsa107807.nasl, performs a version based check against the device's self reported Junos OS version. It compares the running version against the list of fixed releases specified in advisory JSA107807. The plugin relies on the Host/Juniper/JUNOS/Version KB item, meaning it requires authenticated access to the device. A VPR score of 8.4 (High) has been assigned. Organizations using Tenable Nessus or Tenable.io can immediately deploy this plugin to scan for vulnerable installations across their network infrastructure.
Network and Host Level Detection
At this time, no public YARA rules, Sigma rules, Snort/Suricata IDS signatures, or specific network level IoCs have been published for CVE-2026-21916. This is expected given the recency of disclosure and the fact that the attack is a local privilege escalation rather than a network exploitable vulnerability, making traditional network IDS/IPS signatures inherently less applicable.
Behavioral Monitoring
For host level detection, security teams should focus monitoring on the specific attack chain:
- Monitor Junos OS system logs and audit trails for any use of the
file linkCLI command, especially by low privileged users. Any unexpected symbolic link creation activity should be treated as a potential indicator of exploitation attempts. - Track configuration commit events and correlate them with prior
file linkoperations by different users. The exploit requires a specific sequence: symlink creation followed by a commit from another user. - Watch for unexpected root level logins, particularly following the above sequence of events. A low privileged account suddenly authenticating as root is a strong indicator of successful exploitation.
- Use the
show system audit root-onlycommand on Junos OS devices to capture filesystem state and MD5 checksums. By saving baseline output and periodically comparing it against current state, administrators can detect unauthorized file modifications or suspicious symbolic links that may indicate compromise.
Manual Version Verification
To proactively assess exposure, verify the running Junos OS version against the affected version ranges: all versions before 23.2R2-S7, 23.4 versions before 23.4R2-S6, 24.2 versions before 24.2R2-S3, 24.4 versions before 24.4R2-S2, and 25.2 versions before 25.2R2. Versions 25.4R1 and later are not affected.
Affected Systems and Versions
The vulnerability impacts multiple Junos OS release trains. The following table summarizes the affected and unaffected versions:
| Junos OS Release Train | Affected Versions | Fixed Version |
|---|---|---|
| Pre 23.2 (legacy) | All versions (EOL, no patch available) | Upgrade to supported train |
| 23.2 | All versions before 23.2R2-S7 | 23.2R2-S7 and later |
| 23.4 | All versions before 23.4R2-S6 | 23.4R2-S6 and later |
| 24.2 | All versions before 24.2R2-S3 | 24.2R2-S3 and later |
| 24.4 | All versions before 24.4R2-S2 | 24.4R2-S2 and later |
| 25.2 | All versions before 25.2R2 | 25.2R2 and later |
| 25.4 and newer | Not affected | 25.4R1 and all subsequent releases |
The vulnerability specifically affects environments where multiple users share CLI access to the same Junos OS device, which is common in network operations centers and managed service provider environments.
Vendor Security History
Juniper Networks has faced significant security incidents in the past that provide important context. In December 2015, an analysis of Juniper's ScreenOS firmware revealed a backdoor key using Dual EC DRBG. This unauthorized code allowed attackers to passively decrypt VPN traffic and gain administrative access via a master password. While CVE-2026-21916 is a standard software vulnerability rather than a backdoor, the vendor's history underscores the importance of rigorous security auditing and prompt patch deployment for Juniper products.
Juniper's position as the second largest vendor in core routers and enterprise firewalls means that vulnerabilities in Junos OS have outsized impact across critical infrastructure sectors globally.
