📄 Description (English)
Juniper Junos OS EX Series Missing Authentication for Critical Function Vulnerability — Juniper Junos OS on EX Series contains a missing authentication for critical function vulnerability that allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to installAppPackage.php that doesn't require authentication, an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities.
🤖 AI Executive Summary
CVE-2023-36847 is a critical missing authentication vulnerability (CVSS 9.0) in Juniper Junos OS on EX Series switches, allowing unauthenticated remote attackers to upload arbitrary files via the J-Web interface without any credentials. The vulnerability targets the installAppPackage.php endpoint and can compromise file system integrity, serving as a stepping stone for chaining with other exploits to achieve full system compromise. Active exploits are confirmed in the wild, making this an urgent threat requiring immediate attention. Organizations relying on Juniper EX Series switches for network infrastructure are at significant risk of network-level compromise.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 17, 2026 12:56
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations face severe risk given the widespread deployment of Juniper EX Series switches across critical sectors. Banking and financial institutions regulated by SAMA rely heavily on Juniper infrastructure for core network switching, making them prime targets for lateral movement attacks. Government entities under NCA oversight using EX Series in data centers and campus networks could face unauthorized file uploads leading to backdoor installation. Saudi Aramco and energy sector organizations with operational technology (OT) networks segmented by Juniper switches face potential network segmentation bypass. Telecom providers such as STC and Zain KSA using EX Series in their backbone infrastructure could experience service disruption. The exploit-available status combined with J-Web exposure to internal or internet-facing networks dramatically elevates risk for all sectors. Healthcare organizations with limited security staffing are particularly vulnerable if J-Web management interfaces are not properly restricted.
🏢 Affected Saudi Sectors
Banking
Government
Energy
Telecom
Healthcare
Transportation
Education
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS (within 24 hours):
1. Disable J-Web interface on all Juniper EX Series devices if not operationally required: 'delete system services web-management'
2. If J-Web is required, restrict access using firewall filters to allow only trusted management IP ranges
3. Audit all EX Series devices for unauthorized files uploaded via J-Web
4. Block external access to port 80/443 on management interfaces at perimeter firewalls
PATCHING GUIDANCE:
5. Apply Juniper's official patches immediately — upgrade to Junos OS versions: 20.4R3-S8, 21.2R3-S6, 21.3R3-S5, 21.4R3-S4, 22.1R3-S3, 22.2R3-S1, 22.3R2-S2, 22.4R2-S1, 22.4R3, 23.2R1 or later
6. Prioritize internet-facing or management-network-exposed devices first
7. Validate patch integrity after deployment
COMPENSATING CONTROLS (if patching is delayed):
8. Implement out-of-band management (dedicated management VLAN with strict ACLs)
9. Deploy IDS/IPS signatures to detect POST requests to installAppPackage.php
10. Enable logging for all J-Web access attempts and forward to SIEM
DETECTION RULES:
11. Alert on HTTP POST requests to '/installAppPackage.php' from unauthorized sources
12. Monitor for unexpected file creation in Junos OS file system directories
13. Review authentication logs for J-Web access anomalies
14. Threat hunt for indicators of chained exploitation (e.g., CVE-2023-36844, CVE-2023-36845)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية (خلال 24 ساعة):
1. تعطيل واجهة J-Web على جميع أجهزة Juniper EX Series إذا لم تكن ضرورية تشغيلياً: 'delete system services web-management'
2. إذا كانت J-Web مطلوبة، قيّد الوصول باستخدام مرشحات جدار الحماية للسماح فقط لنطاقات IP الإدارية الموثوقة
3. مراجعة جميع أجهزة EX Series بحثاً عن ملفات غير مصرح بها تم رفعها عبر J-Web
4. حجب الوصول الخارجي إلى المنفذين 80/443 على واجهات الإدارة عند جدران الحماية المحيطية
إرشادات التصحيح:
5. تطبيق التصحيحات الرسمية من Juniper فوراً — الترقية إلى إصدارات Junos OS: 20.4R3-S8، 21.2R3-S6، 21.3R3-S5، 21.4R3-S4، 22.1R3-S3، 22.2R3-S1، 22.3R2-S2، 22.4R2-S1، 22.4R3، 23.2R1 أو أحدث
6. إعطاء الأولوية للأجهزة المكشوفة على الإنترنت أو شبكات الإدارة أولاً
7. التحقق من سلامة التصحيح بعد النشر
ضوابط التعويض (في حال تأخر التصحيح):
8. تطبيق إدارة خارج النطاق (VLAN إدارة مخصصة مع قوائم تحكم صارمة)
9. نشر توقيعات IDS/IPS للكشف عن طلبات POST إلى installAppPackage.php
10. تفعيل التسجيل لجميع محاولات الوصول إلى J-Web وإرسالها إلى SIEM
قواعد الكشف:
11. التنبيه على طلبات HTTP POST إلى '/installAppPackage.php' من مصادر غير مصرح بها
12. مراقبة إنشاء ملفات غير متوقعة في مجلدات نظام ملفات Junos OS
13. مراجعة سجلات المصادقة لاكتشاف شذوذات الوصول إلى J-Web
14. البحث عن مؤشرات الاستغلال المتسلسل (مثل CVE-2023-36844، CVE-2023-36845)
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC-1-4-2: Authentication and Access Control — missing authentication for critical function
ECC-1-3-1: Cybersecurity Risk Management — critical infrastructure network device vulnerability
ECC-2-3-1: Network Security — unauthorized file upload to network devices
ECC-1-5-1: Vulnerability Management — critical patch application requirement
ECC-2-2-1: Identity and Access Management — unauthenticated access to management interfaces
🔵 SAMA CSF
Protect — PR.AC-3: Remote access management and authentication controls
Protect — PR.PT-4: Communications and control networks protection
Detect — DE.CM-1: Network monitoring for unauthorized access
Respond — RS.MI-1: Incident mitigation for active exploits
Protect — PR.IP-12: Vulnerability management process
🟡 ISO 27001:2022
A.8.2 — Privileged access rights: unauthenticated access to privileged functions
A.8.5 — Secure authentication: missing authentication for critical function
A.8.9 — Configuration management: insecure default J-Web exposure
A.8.8 — Management of technical vulnerabilities: critical patch management
A.8.20 — Networks security: network device integrity compromise
A.8.22 — Segregation of networks: potential bypass of network segmentation
🟣 PCI DSS v4.0
Requirement 1.3 — Network access controls: restrict inbound/outbound traffic to management interfaces
Requirement 6.3.3 — All system components protected from known vulnerabilities via patching
Requirement 8.2 — User identification and authentication: missing authentication violation
Requirement 10.2 — Audit log events for unauthorized access attempts
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Juniper:Junos OS