📄 Description (English)
Juniper Junos OS EX Series and SRX Series PHP External Variable Modification Vulnerability — Juniper Junos OS on EX Series and SRX Series contains a PHP external variable modification vulnerability that allows an unauthenticated, network-based attacker to control an important environment variable. Using a crafted request, which sets the variable PHPRC, an attacker is able to modify the PHP execution environment allowing the injection und execution of code.
🤖 AI Executive Summary
CVE-2023-36845 is a critical PHP external variable modification vulnerability affecting Juniper Junos OS on EX Series switches and SRX Series firewalls, scoring 9.0 on the CVSS scale. An unauthenticated remote attacker can manipulate the PHPRC environment variable via a crafted HTTP request to the J-Web management interface, enabling arbitrary code injection and execution without any credentials. This vulnerability is actively exploited in the wild with public proof-of-concept code available, making it an immediate and severe threat. Organizations relying on Juniper network infrastructure for perimeter security and switching are at critical risk of full device compromise.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 17, 2026 16:01
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations face severe exposure given the widespread deployment of Juniper EX Series switches and SRX Series firewalls across critical national infrastructure. Energy sector (Saudi Aramco, SABIC, SEC) relies heavily on Juniper SRX firewalls for OT/IT network segmentation — compromise could bridge air-gapped environments. Banking and financial institutions regulated by SAMA use Juniper EX switches as core/distribution layer infrastructure, risking lateral movement into payment processing networks. Government entities under NCA oversight deploying Juniper for inter-agency connectivity face data exfiltration risks. Telecom providers (STC, Mobily, Zain) using Juniper as backbone infrastructure could see service disruption. The J-Web interface, if internet-exposed (common in smaller branch deployments), dramatically increases attack surface. Saudi SOCs should treat this as a Priority 1 incident given active exploitation and the prevalence of Juniper in Saudi enterprise and government networks.
🏢 Affected Saudi Sectors
Banking
Energy
Government
Telecom
Healthcare
Defense
Transportation
Education
⚖️ Saudi Risk Score (AI)
9.4
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS (within 24 hours):
1. Disable J-Web interface immediately on all EX and SRX devices if not required: 'delete system services web-management'
2. Restrict J-Web access to trusted management IP ranges only using firewall filters
3. Audit all internet-facing Juniper devices for J-Web exposure using Shodan/internal scanning
4. Review device logs for anomalous PHP execution or unexpected process spawning
PATCHING GUIDANCE:
- Apply Juniper security advisory JSA72300 patches immediately
- EX Series: Upgrade to Junos OS 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S2, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1 or later
- SRX Series: Apply same version targets as above
- Prioritize internet-facing devices first, then internal core infrastructure
COMPENSATING CONTROLS (if patching delayed):
1. Implement ACLs to restrict J-Web (TCP 443/8443/80) to management VLAN only
2. Deploy WAF rules to block requests containing 'PHPRC' parameter manipulation
3. Enable IPS signatures for CVE-2023-36845 on upstream security devices
4. Implement out-of-band management for all Juniper devices
5. Enable enhanced logging: 'set system syslog file auth any' and forward to SIEM
DETECTION RULES:
- Monitor for HTTP requests containing 'PHPRC' in headers or body
- Alert on unexpected child processes spawned from PHP or web server processes
- SIEM rule: Flag any J-Web authentication from non-management IP ranges
- Network: Detect outbound connections from Juniper management IPs to external hosts
- Snort/Suricata: alert http any any -> $JUNIPER_MGMT any (content:"PHPRC"; msg:"CVE-2023-36845 Exploit Attempt"; sid:9000001;)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية (خلال 24 ساعة):
1. تعطيل واجهة J-Web فوراً على جميع أجهزة EX وSRX إذا لم تكن مطلوبة: 'delete system services web-management'
2. تقييد الوصول إلى J-Web على نطاقات IP الموثوقة فقط باستخدام مرشحات جدار الحماية
3. مراجعة جميع أجهزة Juniper المكشوفة على الإنترنت للتحقق من تعرض J-Web
4. مراجعة سجلات الأجهزة بحثاً عن تنفيذ PHP غير طبيعي أو عمليات غير متوقعة
إرشادات التصحيح:
- تطبيق تصحيحات الاستشارة الأمنية JSA72300 من Juniper فوراً
- EX Series: الترقية إلى إصدارات Junos OS المحددة في الاستشارة الأمنية
- SRX Series: تطبيق نفس أهداف الإصدار المذكورة أعلاه
- إعطاء الأولوية للأجهزة المكشوفة على الإنترنت أولاً
ضوابط التعويض (في حالة تأخر التصحيح):
1. تطبيق قوائم التحكم في الوصول لتقييد J-Web على شبكة VLAN للإدارة فقط
2. نشر قواعد WAF لحظر الطلبات التي تحتوي على تلاعب بمعامل PHPRC
3. تفعيل توقيعات IPS لـ CVE-2023-36845 على أجهزة الأمان الأمامية
4. تطبيق إدارة خارج النطاق لجميع أجهزة Juniper
5. تفعيل التسجيل المحسّن وإرساله إلى نظام SIEM
قواعد الكشف:
- مراقبة طلبات HTTP التي تحتوي على 'PHPRC' في الرؤوس أو الجسم
- التنبيه على العمليات الفرعية غير المتوقعة المنبثقة من PHP أو عمليات خادم الويب
- قاعدة SIEM: الإشارة إلى أي مصادقة J-Web من نطاقات IP غير إدارية
- الشبكة: اكتشاف الاتصالات الصادرة من عناوين IP لإدارة Juniper إلى مضيفين خارجيين
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC-1-4-2: Cybersecurity Vulnerability Management — immediate patching of critical vulnerabilities
ECC-1-3-2: Cybersecurity Event Logging and Monitoring — detection of exploitation attempts
ECC-2-2-1: Network Security — restricting management interface access
ECC-2-3-1: Secure Configuration — disabling unnecessary services (J-Web)
ECC-1-5-1: Cybersecurity Incident Management — treating active exploitation as P1 incident
ECC-2-1-1: Asset Management — inventory of all Juniper EX/SRX devices
🔵 SAMA CSF
Cybersecurity Risk Management — 3.3.2: Vulnerability and Patch Management
Cybersecurity Operations — 4.3.5: Vulnerability Assessment and Penetration Testing
Cybersecurity Operations — 4.3.3: Security Monitoring and Event Management
Cybersecurity Resilience — 5.1.2: Network Security Controls
Third-Party Cybersecurity — 3.7.2: Network infrastructure vendor security advisories
🟡 ISO 27001:2022
A.8.8 — Management of technical vulnerabilities
A.8.20 — Networks security
A.8.22 — Segregation of networks
A.8.16 — Monitoring activities
A.8.9 — Configuration management
A.5.24 — Information security incident management planning
🟣 PCI DSS v4.0
Requirement 6.3.3 — All system components protected from known vulnerabilities by patching
Requirement 1.3.2 — Restrict inbound and outbound traffic to management interfaces
Requirement 10.7 — Detect and respond to failures of critical security controls
Requirement 12.3.2 — Targeted risk analysis for critical vulnerability remediation timelines
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Juniper:Junos OS