📄 Description (English)
Juniper Junos OS EX Series PHP External Variable Modification Vulnerability — Juniper Junos OS on EX Series contains a PHP external variable modification vulnerability that allows an unauthenticated, network-based attacker to control certain, important environment variables. Using a crafted request an attacker is able to modify certain PHP environment variables, leading to partial loss of integrity, which may allow chaining to other vulnerabilities.
🤖 AI Executive Summary
CVE-2023-36844 is a critical PHP external variable modification vulnerability in Juniper Junos OS on EX Series switches, scoring 9.0 CVSS. An unauthenticated, network-based attacker can manipulate critical PHP environment variables through crafted HTTP requests without any authentication. This vulnerability is particularly dangerous as it can be chained with other vulnerabilities (notably CVE-2023-36845, CVE-2023-36846, CVE-2023-36847) to achieve unauthenticated remote code execution on the J-Web management interface. Active exploits are confirmed in the wild, making immediate patching an urgent priority for all organizations running Juniper EX Series switches.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 17, 2026 16:02
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations face significant exposure given the widespread deployment of Juniper EX Series switches in enterprise and government network infrastructure. Key at-risk sectors include: (1) Banking/SAMA-regulated entities — Juniper EX switches are commonly deployed in core banking network segments and data centers; exploitation could compromise network segmentation and enable lateral movement into payment systems. (2) Government/NCA — Saudi government ministries and Vision 2030 digital infrastructure projects heavily utilize Juniper networking equipment; a breach could expose sensitive national data. (3) Energy/ARAMCO & SABIC — Industrial and corporate networks in the energy sector using EX Series switches for OT/IT convergence zones are at elevated risk. (4) Telecom/STC, Mobily, Zain — Carrier-grade and enterprise network deployments using Juniper EX switches for access and distribution layers. (5) Healthcare — Hospital networks using EX Series for patient data network segmentation. The chaining capability with CVE-2023-36845/46/47 to achieve RCE makes this a nation-state and ransomware group target, particularly relevant given increased threat actor activity targeting Saudi critical infrastructure.
🏢 Affected Saudi Sectors
Banking
Government
Energy
Telecom
Healthcare
Education
Transportation
Defense
⚖️ Saudi Risk Score (AI)
9.4
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS (within 24 hours):
1. Identify all Juniper EX Series devices running Junos OS with J-Web enabled across your environment.
2. Disable J-Web interface immediately if not operationally required: 'delete system services web-management' or restrict access via firewall filters.
3. Implement ACLs to restrict J-Web access (port 80/443) to trusted management IP ranges only.
4. Review firewall policies to ensure J-Web is not exposed to the internet or untrusted networks.
PATCHING GUIDANCE:
5. Apply Juniper security advisory JSA72300 patches immediately. Patched versions include:
- Junos OS 20.4R3-S9, 21.1R3-S5, 21.2R3-S5, 21.3R3-S4, 21.4R3-S4, 22.1R3-S3, 22.2R3-S1, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3, 23.2R1, and later releases.
6. Prioritize internet-facing and management-plane exposed devices first.
7. Test patches in staging before production deployment where operationally feasible.
COMPENSATING CONTROLS (if patching is delayed):
8. Deploy a Web Application Firewall (WAF) or reverse proxy in front of J-Web to filter malicious PHP variable injection attempts.
9. Enable out-of-band management (dedicated management VRF/interface) and disable in-band J-Web access.
10. Implement network segmentation to isolate management interfaces.
DETECTION RULES:
11. Monitor for anomalous HTTP requests to J-Web containing PHP variable manipulation patterns (e.g., PHPRC, PHP_INI_SCAN_DIR in request parameters).
12. Enable Junos OS logging for J-Web access and forward to SIEM.
13. Create SIEM alerts for repeated unauthenticated access attempts to J-Web endpoints.
14. Deploy IDS/IPS signatures for CVE-2023-36844 (available in Snort/Suricata community rulesets).
15. Monitor for unusual process spawning from J-Web PHP processes on affected devices.
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية (خلال 24 ساعة):
1. تحديد جميع أجهزة Juniper EX Series التي تعمل بنظام Junos OS مع تفعيل J-Web في بيئتك.
2. تعطيل واجهة J-Web فوراً إذا لم تكن ضرورية تشغيلياً: 'delete system services web-management' أو تقييد الوصول عبر مرشحات جدار الحماية.
3. تطبيق قوائم التحكم بالوصول (ACL) لتقييد الوصول إلى J-Web (المنفذ 80/443) على نطاقات IP الإدارية الموثوقة فقط.
4. مراجعة سياسات جدار الحماية للتأكد من عدم تعرض J-Web للإنترنت أو الشبكات غير الموثوقة.
إرشادات التصحيح:
5. تطبيق تصحيحات Juniper الأمنية JSA72300 فوراً. الإصدارات المُصححة تشمل:
- Junos OS 20.4R3-S9، 21.1R3-S5، 21.2R3-S5، 21.3R3-S4، 21.4R3-S4، 22.1R3-S3، 22.2R3-S1، 22.3R2-S2، 22.3R3، 22.4R2-S1، 22.4R3، 23.2R1 والإصدارات الأحدث.
6. إعطاء الأولوية للأجهزة المعرضة للإنترنت وتلك المكشوفة في مستوى الإدارة أولاً.
7. اختبار التصحيحات في بيئة التجهيز قبل النشر في الإنتاج حيثما أمكن.
ضوابط التعويض (في حالة تأخر التصحيح):
8. نشر جدار حماية تطبيقات الويب (WAF) أو وكيل عكسي أمام J-Web لتصفية محاولات حقن متغيرات PHP الضارة.
9. تفعيل الإدارة خارج النطاق (VRF/واجهة إدارة مخصصة) وتعطيل وصول J-Web داخل النطاق.
10. تطبيق تجزئة الشبكة لعزل واجهات الإدارة.
قواعد الكشف:
11. مراقبة طلبات HTTP غير الطبيعية إلى J-Web التي تحتوي على أنماط التلاعب بمتغيرات PHP (مثل PHPRC، PHP_INI_SCAN_DIR في معاملات الطلب).
12. تفعيل تسجيل Junos OS لوصول J-Web وإرساله إلى نظام SIEM.
13. إنشاء تنبيهات SIEM لمحاولات الوصول غير المصادق المتكررة إلى نقاط نهاية J-Web.
14. نشر توقيعات IDS/IPS لـ CVE-2023-36844 (متاحة في مجموعات قواعد Snort/Suricata المجتمعية).
15. مراقبة عمليات إنشاء العمليات غير المعتادة من عمليات PHP الخاصة بـ J-Web على الأجهزة المتأثرة.
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC-1-4-2: Cybersecurity Vulnerability Management — immediate patching of critical vulnerabilities
ECC-1-3-2: Network Security — protection of management interfaces and network segmentation
ECC-1-3-6: Web Application Security — securing web-based management interfaces
ECC-2-2-1: Asset Management — inventory and patching of network infrastructure assets
ECC-1-5-1: Cybersecurity Event Logs and Monitoring — detection of exploitation attempts
🔵 SAMA CSF
3.3.3 Vulnerability Management — critical vulnerability remediation within defined SLAs
3.3.5 Network Security — management plane access controls and segmentation
3.3.6 Application Security — securing web management interfaces
3.3.9 Cyber Security Monitoring — SIEM alerting for exploitation attempts
3.2.2 Asset Management — network device inventory and patch tracking
🟡 ISO 27001:2022
A.8.8 Management of technical vulnerabilities — timely patching of critical CVEs
A.8.20 Networks security — network segmentation and management interface protection
A.8.23 Web filtering — restricting access to management interfaces
A.8.16 Monitoring activities — detection of anomalous access to management systems
A.5.30 ICT readiness for business continuity — ensuring patching does not disrupt operations
🟣 PCI DSS v4.0
Requirement 6.3.3 — All system components protected from known vulnerabilities by installing applicable security patches
Requirement 1.3.2 — Restrict inbound traffic to only that which is necessary for network devices
Requirement 10.7 — Detect and report failures of critical security controls
Requirement 12.3.2 — Targeted risk analysis for critical vulnerability management
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Juniper:Junos OS