Introduction
A missing authorization check in Juniper Networks Junos OS on MX Series routers quietly allowed any locally authenticated user to execute privileged management commands that cascade across every device managed by that MX platform. For organizations running MX Series routers in Juniper Device Manager (JDM) or Connected Security Distributed Services (CSDS) scenarios, this flaw meant that a single low privilege CLI session could lead to a complete compromise of the broader managed infrastructure, earning a CVSS v3.1 score of 8.8 with a changed scope designation.
The vulnerability, tracked as CVE-2026-33785, was disclosed by Juniper on April 8, 2026 as part of a batch of 28 security bulletins. Multiple international CERTs, including the Saudi National Cybersecurity Authority, Hong Kong CERT, and Norwegian JustisCERT, have issued high priority alerts urging immediate patching.
Technical Information
Root Cause: Missing Authorization (CWE-862)
The vulnerability exists because the Junos OS CLI did not enforce authorization requirements on the request csds family of operational commands. These commands are designed to interact with the JDM and CSDS management plane, giving the operator control over all aspects of the devices managed through the MX Series router. By design, only high privilege administrators or users explicitly designated for JDM/CSDS operations should be able to invoke them.
However, the CLI accepted these commands from any locally authenticated user session, regardless of the user's assigned privilege level. There was simply no authorization gate between the command parser and the underlying CSDS functionality.
Impact and Scope
The CVSS v3.1 vector is particularly notable because the scope is marked as changed (S:C). This means the vulnerability in the MX router's CLI crosses a security boundary: exploitation on the MX itself leads to compromise of separate managed devices downstream. Confidentiality, integrity, and availability are all rated High in the impact metrics.
| Scoring System | Base Score | Severity | Key Details |
|---|---|---|---|
| CVSS v3.1 | 8.8 | High | Local access, low privileges, no user interaction, scope changed |
| CVSS v4.0 | 6.3 | Medium | Local access, low privileges, no user interaction |
Attack Flow
Based on the advisory details, exploitation follows a straightforward path:
-
Initial Access: An attacker obtains any level of authenticated CLI access to an MX Series router running an affected Junos OS version. This could be a low privilege operator account, a monitoring account, or any other user with shell or CLI access.
-
Command Execution: The attacker issues
request csdsCLI operational commands. No privilege escalation exploit or additional tooling is required; the commands are accepted by the CLI without any authorization check. -
Management Plane Compromise: Because the
request csdscommands interact with the JDM/CSDS management plane, the attacker gains the ability to impact all aspects of the devices managed via the respective MX router. This constitutes a complete compromise of the managed device fleet, affecting confidentiality, integrity, and availability.
The local access requirement means this is not remotely exploitable over the network without first obtaining an authenticated session on the device. However, in environments where multiple operators share access to MX routers with varying privilege levels, the barrier to exploitation is minimal.
Patch Information
Juniper Networks addressed CVE-2026-33785 through official firmware updates released on April 8, 2026, as documented in security advisory JSA107872 (internal tracking: PR1914935). The patch introduces proper authorization enforcement so that request csds commands are restricted to users who hold the appropriate privilege level.
The fix was incorporated into the following Junos OS releases for MX Series:
| Branch | Fixed Release | Status |
|---|---|---|
| 24.4 | 24.4R2-S3 | Available |
| 25.2 | 25.2R2 | Available |
| 25.4 | 25.4R1 | Available (first release of this branch includes the fix) |
All subsequent releases after these versions also carry the fix. Junos OS releases prior to 24.4 are not affected at all because the vulnerable request csds functionality was introduced in the 24.4 train, so older branches do not require patching.
Tenable released Nessus plugin 305592 (juniper_jsa107872.nasl) on the same day to enable automated detection of unpatched devices via the device's self reported version number.
Detection Methods
Vulnerability Scanner Detection (Tenable Nessus)
Tenable released Nessus Plugin ID 305592 on April 8, 2026, specifically designed for this vulnerability. The plugin file is named juniper_jsa107872.nasl and belongs to the Junos Local Security Checks family. It operates as a "combined" type plugin, meaning it can work with both local and remote data. Its detection approach is version based: it cross references the self reported Junos OS version on the device against the known affected version ranges. To function, the plugin requires two KB items to be populated on the target: Host/Juniper/model and Host/Juniper/JUNOS/Version. If your organization uses Tenable Nessus or Tenable.io, ensure your plugin feed is updated past the April 8, 2026 release and run authenticated scans against your MX Series fleet.
Version Based Identification
The Juniper security bulletin (JSA107872) provides precise affected version boundaries for manual or scripted auditing:
- 24.4 releases before 24.4R2-S3
- 25.2 releases before 25.2R2
Junos OS releases prior to 24.4 are not affected. Network operations teams can check the running Junos version on each MX Series device and compare it against these boundaries to identify exposure. This is especially useful in environments where automated vulnerability scanners cannot reach all network devices.
CLI Command Audit Logging
The core of this vulnerability lies in the fact that any locally authenticated user can issue request csds CLI operational commands that should be restricted. This makes CLI command auditing a powerful detection angle. Organizations should review their Junos system logs and AAA (authentication, authorization, and accounting) records for any execution of request csds commands by users who are not explicitly authorized for JDM or CSDS operations. Unexpected or anomalous invocations of these commands, particularly by low privilege accounts, could indicate attempted or successful exploitation.
What Is Not Available Yet
As of this writing, no public Sigma rules, YARA rules, Snort/Suricata IDS signatures, or published Indicators of Compromise (IoCs) are available for this vulnerability. Because the attack vector is local (requiring authenticated CLI access), network layer IDS/IPS signatures would not be effective for detection. The focus should remain on endpoint level version verification and CLI audit log analysis.
Affected Systems and Versions
This vulnerability affects Juniper Networks Junos OS on MX Series routers only in JDM/CSDS deployment scenarios.
Affected versions:
- Junos OS 24.4 releases prior to 24.4R2-S3
- Junos OS 25.2 releases prior to 25.2R2
Not affected:
- Junos OS releases prior to version 24.4 (the vulnerable
request csdsfunctionality was introduced in the 24.4 train) - Non MX Series Juniper platforms
Vendor Security History
Juniper Networks, now part of HPE, maintains an active product security incident response process. On April 8, 2026, Juniper published a total of 28 security bulletins addressing various vulnerabilities across their product ecosystem. This coordinated batch release demonstrates a structured approach to vulnerability disclosure and remediation. The advisory for CVE-2026-33785 is tracked internally by Juniper as JSA107872 and PR1914935.
The breadth of the April 2026 bulletin batch, combined with the rapid response from international CERTs (Saudi NCA categorized the risk as "very high" targeting finance, telecommunications, and government sectors), underscores the importance of maintaining current patch levels on Juniper infrastructure.
References
- NVD: CVE-2026-33785
- CVE Record: CVE-2026-33785
- Juniper KB: JSA107872
- Juniper Support Portal: 2026-04 Security Bulletin
- Tenable CVE Page: CVE-2026-33785
- Tenable Nessus Plugin 305592
- Saudi National Cybersecurity Authority Alert
- Hong Kong CERT Alert
- Norwegian JustisCERT Advisory
- Feedly CVE Tracking: CVE-2026-33785
