Introduction
A local privilege escalation flaw in Juniper Networks Junos OS and Junos OS Evolved allows any low privileged user with shell access to gain full root control of the device by executing a crafted Python op script. What makes this particularly noteworthy is that Junos OS Evolved platforms running release 21.2R1 or later are exposed by default, since the junos-defaults configuration group silently enables unsigned Python script execution without any explicit administrator action.
CVE-2026-33793 carries a CVSS 3.1 score of 7.8 and a CVSS 4.0 score of 8.5. While the attack requires local access and a specific configuration state, the payoff is complete system compromise via root privileges. Multiple international CERTs, including the Saudi NCA and Hong Kong GovCERT, have issued advisories urging immediate remediation.
Technical Information
Root Cause
The vulnerability falls under CWE-250: Execution with Unnecessary Privileges. The core problem lies in the op script execution engine within the Junos User Interface. When the device configuration permits unsigned Python op scripts, the engine executes those scripts with root equivalent privileges regardless of the privilege level of the user who invoked them. There is no privilege boundary enforcement between the calling user's context and the script's execution context.
By default, Junos devices block unsigned Python scripts. However, when an administrator configures the language python or language python3 statement at the [edit system scripts] hierarchy level, the system permits execution of unsigned Python automation scripts. This is the prerequisite configuration that opens the door to exploitation.
A critical detail for Junos OS Evolved: starting from release 21.2R1, the junos-defaults configuration group automatically includes the language python statement. This means Evolved platforms have a wider default exposure surface compared to standard Junos OS, where the configuration must be explicitly added by an administrator.
Attack Flow
The exploitation path is straightforward for an attacker who already has local, low privileged access to a Junos device:
-
Prerequisite check: The attacker confirms that the target device has
language python3(orlanguage python) configured under[edit system scripts]. On Junos OS Evolved 21.2R1 and later, this is present by default. -
Script placement: The attacker places a crafted Python op script in the appropriate scripts directory on the device (e.g.,
/var/db/scripts/op/). -
Execution: The attacker invokes the malicious op script through the Junos CLI or operational interface. Because the execution engine does not enforce proper privilege separation, the script runs with root equivalent privileges.
-
Privilege escalation achieved: The attacker now has full root access to the system, enabling arbitrary command execution, configuration modification, data exfiltration, or lateral movement.
Remote Script Execution as an Expanded Attack Surface
The risk profile grows if administrators have also enabled remote script execution. By default, Python op scripts cannot be executed from remote URLs. However, if the allow-url-for-python statement is configured under the [edit system scripts op] hierarchy, users can execute scripts fetched from remote servers. Juniper documentation notes that statements configured under the local op script hierarchy are not enforced for remote scripts, creating potential security blind spots.
It is worth noting that Juniper revised their advisory on April 9, 2026 (one day after initial publication) to remove the allow-url-for-python configuration as a listed precondition. The vulnerability is exploitable without it. Setting no-allow-url can reduce risk by blocking remote script execution, but Juniper explicitly warns this does not eliminate the local exploitation vector.
Built in Telemetry
Junos OS provides a relevant detection signal. Starting in Junos OS Releases 18.2R2 and 18.3R1, if an unsigned Python script is executed without a configured checksum, the device logs a CSCRIPT_SECURITY_WARNING message:
CSCRIPT_SECURITY_WARNING: unsigned python script '/var/db/scripts/op/sample.py' without checksum is executed
This syslog entry is a direct indicator of the exploitation vector for this CVE.
Patch Information
Juniper Networks addressed CVE-2026-33793 through software updates released on April 8, 2026, documented in security bulletin JSA103142. The fix corrects the privilege escalation path so that the op script execution engine no longer grants unnecessary root level access to non root users. The fix is internally tracked under Juniper Problem Report PR1842247.
Junos OS Fixed Versions
| Release Train | Fixed Version |
|---|---|
| 22.4 | 22.4R3-S7 and later |
| 23.2 | 23.2R2-S4 and later |
| 23.4 | 23.4R2-S6 and later |
| 24.2 | 24.2R1-S2, 24.2R2 and later |
| 24.4 | 24.4R1-S2, 24.4R2 and later |
| 25.2 | 25.2R1 and all subsequent releases |
Junos OS Evolved Fixed Versions
| Release Train | Fixed Version |
|---|---|
| 22.4 | 22.4R3-S7-EVO and later |
| 23.2 | 23.2R2-S4-EVO and later |
| 23.4 | 23.4R2-S6-EVO and later |
| 24.2 | 24.2R2-EVO and later |
| 24.4 | 24.4R1-S1-EVO, 24.4R2-EVO and later |
| 25.2 | 25.2R1-EVO and all subsequent releases |
Note a subtle difference between the two product lines: in the 24.2 train, the Junos OS fix is available in the service release 24.2R1-S2, while Junos OS Evolved users need to move to the full 24.2R2-EVO release. There is no 24.2R1-S2-EVO equivalent listed.
Advisory Revision Note
The advisory was revised on April 9, 2026 to remove a previously listed precondition: the configuration [system scripts op allow-url-for-python] was initially noted as relevant, but Juniper clarified it is not necessary for the vulnerability to be exploitable. Configuration workarounds such as no-allow-url reduce risk but do not eliminate the local attack vector. Applying the patched software versions remains the definitive fix.
Detection Methods
Automated Vulnerability Scanning with Nessus
Nessus Plugin ID 305599 (filename: juniper_jsa103142.nasl), published on April 8, 2026, is specifically designed to detect this vulnerability. It belongs to the "Junos Local Security Checks" plugin family and works by comparing the self reported Junos OS version on the target device against the list of affected versions from advisory JSA103142. The plugin requires the Host/Juniper/JUNOS/Version knowledge base item, meaning a credentialed or authenticated scan is needed. This is a version based check only; it does not verify whether the vulnerable configuration is actually present.
Configuration Auditing
Since CVE-2026-33793 only affects systems where unsigned Python op scripts are permitted, auditing device configurations is a critical detection step. Check for the language python3 or language python statement at the [edit system scripts] hierarchy level. On Junos OS Evolved Release 21.2R1 and later, the junos-defaults configuration group includes this statement by default, meaning Evolved devices may be silently exposed without explicit administrator configuration.
Syslog Monitoring for Unsigned Script Execution
Starting in Junos OS Release 18.2R2 and 18.3R1, whenever an unsigned Python script without a configured checksum is executed, the device emits a CSCRIPT_SECURITY_WARNING syslog message:
CSCRIPT_SECURITY_WARNING: unsigned python script '/var/db/scripts/op/sample.py' without checksum is executed
Monitoring for this syslog tag across your Junos infrastructure provides near real time detection of the core exploitation vector. Centralizing syslog collection via a SIEM and alerting on CSCRIPT_SECURITY_WARNING events is a practical approach. If you see this message for scripts you do not recognize, that is a strong indicator of potential abuse.
Op Script Tracing for Forensic Visibility
For deeper operational monitoring and post incident investigation, Junos OS provides built in op script tracing. By enabling traceoptions at the [edit system scripts op traceoptions] hierarchy level, administrators can log detailed information about op script execution to /var/log/op-script.log. The tracing system supports several flags: all, events, input, output, and rpc. The events flag is on by default and captures errors, warnings, progress messages, and script processing events. Enabling the all flag provides comprehensive visibility into every op script operation, which is useful during active threat hunting or incident response.
Absence of Advanced Detection Signatures
As of April 10, 2026, no publicly available YARA rules, Sigma rules, Snort/Suricata signatures, or formal Indicators of Compromise have been published specifically for CVE-2026-33793. Detection currently relies on the version based scanning, configuration auditing, and syslog monitoring approaches described above.
Affected Systems and Versions
Junos OS
All versions before 22.4R3-S7 are affected. Additionally:
- From 23.2 before 23.2R2-S4
- From 23.4 before 23.4R2-S6
- From 24.2 before 24.2R1-S2 and 24.2R2
- From 24.4 before 24.4R1-S2 and 24.4R2
Junos OS Evolved
All versions before 22.4R3-S7-EVO are affected. Additionally:
- From 23.2 before 23.2R2-S4-EVO
- From 23.4 before 23.4R2-S6-EVO
- From 24.2 before 24.2R2-EVO
- From 24.4 before 24.4R1-S1-EVO and 24.4R2-EVO
Vulnerable Configuration
The vulnerability requires the language python or language python3 statement to be configured at the [edit system scripts] hierarchy level. On Junos OS Evolved Release 21.2R1 and later, this configuration is present by default via the junos-defaults configuration group, making those platforms vulnerable out of the box.
Vendor Security History
Juniper Networks maintains a dedicated Security Incident Response Team (SIRT) and follows a structured, batched approach to vulnerability disclosure and patch distribution. The April 2026 advisory cycle included multiple security bulletins released alongside CVE-2026-33793. The company's acquisition by Hewlett Packard Enterprise positions it within a larger enterprise security ecosystem. Juniper contributed $1,367 million (40.9 percent) of specific segment revenues in recent HPE financial reporting, underscoring the scale of its deployment base and the importance of timely patching across its product lines.
References
- NVD: CVE-2026-33793
- MITRE CVE Record: CVE-2026-33793
- Juniper KB: JSA103142
- Juniper Support Portal: Security Bulletin for CVE-2026-33793
- Tenable: CVE-2026-33793
- Tenable Nessus Plugin 305599
- Tenable: CVE-2026-33793 Plugins
- Feedly: CVE-2026-33793
- Juniper: Requirements for Executing Python Automation Scripts
- Juniper: Automation Scripting User Guide (PDF)
- Juniper: Op Script Tracing
- Juniper KB: Unsigned Python Script Checksum Warning
- Saudi NCA CERT: Juniper Alert 2026-7398
- Hong Kong GovCERT: Alert A26-04-11
