Critical RCE security bug affecting thousands of Juniper Networks devices - so patch now

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

Thousands of Juniper devices were found vulnerable to a critical flaw which allows threat actors to execute malicious code remotely and without the need for authentication.

The Register reported a vulnerability tracked as CVE-2024-21591. Described as an out-of-bounds write flaw, the vulnerability carries a severity score of 9.8/10, and allows hackers to obtain root privileges, cause denial of service, or run code remotely. 

It was discovered in Juno OS’ J-Web configuration interface.

Patches and workarounds

The publication also says, citing data from Censys, that more than 11,500 devices are vulnerable, including all powered by:

Junos OS versions earlier than 20.4R3-S9 

Junos OS 21.2 versions earlier than 21.2R3-S7 

Junos OS 21.3 versions earlier than 21.3R3-S5 

Junos OS 21.4 versions earlier than 21.4R3-S5 

Junos OS 22.1 versions earlier than 22.1R3-S4 

Junos OS 22.2 versions earlier than 22.2R3-S3 

Junos OS 22.3 versions earlier than 22.3R3-S2 

Junos OS 22.4 versions earlier than 22.4R2-S2, 22.4R3

The most exposed endpoint seems to be SRX110H2-VA, a firewall whose end of life was reached back in 2018. The majority of potential victims is located in South Korea, with some found in the US, Hong Kong, and China. 

There is no evidence of the vulnerability being exploited in the wild, Juniper said, but now that the cat is out of the bag, it’s only a matter of time before hackers start scanning for vulnerable devices. Admins who can’t apply the patch for any reason should disable J-Web, or limit access to only trusted sources, Juniper added. 

Applying the patch is the best way to remain secure from potential threats, but admins seem to be very slow. In late August last year, Juniper patched a similarly dangerous vulnerability (9.8) but it turns out most endpoints are yet to be patched.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.