📄 Description (English)
Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability — Juniper Junos OS on SRX Series contains a missing authentication for critical function vulnerability that allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to user.php that doesn't require authentication, an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities.
🤖 AI Executive Summary
CVE-2023-36846 is a critical missing authentication vulnerability in Juniper Junos OS on SRX Series firewalls, scoring 9.0 CVSS. An unauthenticated remote attacker can exploit the J-Web interface by sending a crafted request to user.php to upload arbitrary files without any credentials, compromising file system integrity. This vulnerability is particularly dangerous as it can be chained with other vulnerabilities (notably CVE-2023-36845) to achieve remote code execution. A public exploit is available, making immediate patching or mitigation an urgent priority for all organizations running Juniper SRX firewalls.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 17, 2026 16:00
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations heavily reliant on Juniper SRX firewalls for perimeter security face critical exposure. Key sectors at risk include: (1) Banking/Finance — SAMA-regulated institutions using SRX as edge or branch firewalls are at high risk of network perimeter compromise; (2) Energy — Saudi Aramco and NEOM infrastructure using Juniper SRX for OT/IT segmentation could face integrity breaches enabling lateral movement into critical systems; (3) Government/NCA — Government entities using SRX for classified network perimeters face potential data exfiltration risk; (4) Telecom — STC and other carriers using SRX in service provider deployments face broad exposure; (5) Healthcare — Hospitals using SRX for network segmentation may face compliance violations under PDPL. The availability of a public exploit significantly elevates the threat level for Saudi SOCs, particularly given the widespread deployment of Juniper SRX in Saudi enterprise and government networks.
🏢 Affected Saudi Sectors
Banking
Government
Energy
Telecom
Healthcare
Defense
Critical Infrastructure
⚖️ Saudi Risk Score (AI)
9.4
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS (within 24 hours):
1. Disable J-Web interface on all SRX devices if not operationally required: 'delete system services web-management'
2. Restrict J-Web access to trusted management IP ranges only using firewall filters
3. Audit all SRX devices for unexpected files uploaded via J-Web in /var/tmp and web directories
4. Enable logging for all J-Web access attempts and forward to SIEM immediately
PATCHING GUIDANCE:
- Upgrade to Junos OS 20.4R3-S8, 21.2R3-S6, 21.3R3-S5, 21.4R3-S5, 22.1R3-S3, 22.2R3-S2, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3, 23.2R1 or later
- Follow Juniper advisory JSA72300 for version-specific patch mapping
- Prioritize internet-facing SRX devices first
COMPENSATING CONTROLS (if patching is delayed):
1. Completely disable J-Web: 'set system services web-management https interface <mgmt-interface>'
2. Implement strict ACLs limiting management plane access to dedicated jump hosts only
3. Deploy IPS signatures for CVE-2023-36846 exploitation attempts
4. Monitor for POST requests to /user.php in web server logs
DETECTION RULES:
- SIEM: Alert on HTTP POST requests to '/user.php' from untrusted sources on SRX management interfaces
- Network: Monitor for unexpected outbound connections from SRX devices post-exploitation
- Endpoint: Check for new/modified files in Junos web directories
- Threat Hunt: Search for CVE-2023-36845 chaining attempts following file upload activity
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية (خلال 24 ساعة):
1. تعطيل واجهة J-Web على جميع أجهزة SRX إذا لم تكن ضرورية تشغيلياً: 'delete system services web-management'
2. تقييد الوصول إلى J-Web على نطاقات IP الإدارية الموثوقة فقط باستخدام مرشحات جدار الحماية
3. مراجعة جميع أجهزة SRX بحثاً عن ملفات غير متوقعة تم رفعها عبر J-Web في مجلدات /var/tmp والويب
4. تفعيل تسجيل جميع محاولات الوصول إلى J-Web وإرسالها فوراً إلى نظام SIEM
إرشادات التصحيح:
- الترقية إلى إصدارات Junos OS المُصححة: 20.4R3-S8 أو 21.2R3-S6 أو 21.3R3-S5 أو 21.4R3-S5 أو 22.1R3-S3 أو أحدث
- اتباع التوجيه الأمني JSA72300 من Juniper لتحديد الإصدار المناسب
- إعطاء الأولوية لأجهزة SRX المكشوفة على الإنترنت
الضوابط التعويضية (في حال تأخر التصحيح):
1. تعطيل J-Web بالكامل عبر الأمر: 'set system services web-management https interface <mgmt-interface>'
2. تطبيق قوائم تحكم صارمة بالوصول تقصر إدارة الأجهزة على خوادم القفز المخصصة فقط
3. نشر توقيعات IPS للكشف عن محاولات استغلال CVE-2023-36846
4. مراقبة طلبات POST إلى /user.php في سجلات خادم الويب
قواعد الكشف:
- SIEM: تنبيه عند وجود طلبات HTTP POST إلى '/user.php' من مصادر غير موثوقة
- الشبكة: مراقبة الاتصالات الصادرة غير المتوقعة من أجهزة SRX بعد الاستغلال
- البحث عن التهديدات: البحث عن محاولات ربط CVE-2023-36845 عقب نشاط رفع الملفات
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC-1-4-2: Authentication and Access Control — Missing authentication for critical function
ECC-1-3-1: Cybersecurity Risk Management — Critical vulnerability in perimeter security device
ECC-2-3-1: Network Security — Perimeter firewall integrity compromise
ECC-2-5-1: Vulnerability Management — Publicly exploited vulnerability requiring immediate patching
ECC-1-5-1: Cybersecurity Event Management — Detection and response to active exploitation
🔵 SAMA CSF
3.3.3 Access Control — Unauthenticated access to critical management function
3.3.6 Vulnerability Management — Critical vulnerability with public exploit in perimeter device
3.3.7 Penetration Testing — SRX devices must be included in scope
3.3.2 Network Security — Firewall integrity and segmentation controls
3.3.11 Cyber Incident Management — Active exploitation requires incident response activation
🟡 ISO 27001:2022
A.8.5 — Secure Authentication: Missing authentication for critical web function
A.8.8 — Management of Technical Vulnerabilities: Critical patch available with public exploit
A.8.22 — Segregation of Networks: Firewall compromise affects network segmentation
A.8.20 — Networks Security: Perimeter security device integrity
A.5.24 — Information Security Incident Management Planning: Active exploitation scenario
🟣 PCI DSS v4.0
Requirement 1.3 — Network access controls: Firewall compromise affects cardholder data environment perimeter
Requirement 6.3.3 — All system components protected from known vulnerabilities via patching
Requirement 8.2 — User identification and authentication: Missing authentication vulnerability
Requirement 12.10 — Incident response plan activation for exploited vulnerability
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Juniper:Junos OS