📄 Description (English)
Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability — Juniper Junos OS on SRX Series contains a missing authentication for critical function vulnerability that allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to webauth_operation.php that doesn't require authentication, an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities.
🤖 AI Executive Summary
CVE-2023-36851 is a critical missing authentication vulnerability (CVSS 9.0) in Juniper Junos OS on SRX Series firewalls, allowing unauthenticated remote attackers to upload arbitrary files via the J-Web interface through a specific request to webauth_operation.php. This file upload capability compromises file system integrity and can be chained with other vulnerabilities to achieve full system compromise. A public exploit is available, significantly elevating the risk of active exploitation in the wild. Organizations using Juniper SRX firewalls with J-Web enabled are at immediate risk and must patch or disable J-Web without delay.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 17, 2026 12:55
🇸🇦 Saudi Arabia Impact Assessment
Juniper SRX firewalls are widely deployed as perimeter and segmentation firewalls across Saudi Arabia's critical sectors. Banking and financial institutions regulated by SAMA rely heavily on SRX for network perimeter defense, making them prime targets. Government entities under NCA oversight and Vision 2030 digital infrastructure projects using Juniper SRX are at elevated risk of perimeter breach. Saudi Aramco, NEOM, and energy sector operators using SRX for OT/IT network segmentation face potential lateral movement risks if this vulnerability is chained with others. Telecom providers such as STC and Mobily using SRX in their core network infrastructure could face service disruption or data exfiltration. The availability of a public exploit makes this an active threat requiring immediate action across all sectors.
🏢 Affected Saudi Sectors
Banking
Government
Energy
Telecom
Healthcare
Defense
Transportation
Critical Infrastructure
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS (within 24 hours):
1. Disable J-Web interface on all SRX devices immediately if not required for operations: 'delete system services web-management'
2. Restrict J-Web access to trusted management IP ranges only using firewall filters
3. Audit all SRX devices for J-Web exposure to the internet or untrusted networks
4. Review recent logs for suspicious requests to webauth_operation.php
PATCHING GUIDANCE:
1. Upgrade to Junos OS 20.4R3-S8, 21.2R3-S6, 21.3R3-S5, 21.4R3-S5, 22.1R3-S3, 22.2R3-S2, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3, 23.2R1 or later
2. Apply patches during the next available maintenance window after immediate compensating controls are in place
3. Verify patch integrity before deployment
COMPENSATING CONTROLS:
1. Implement ACLs to restrict J-Web access to management VLAN only
2. Deploy WAF rules to block requests to webauth_operation.php from untrusted sources
3. Enable IPS signatures for Juniper J-Web exploitation attempts
4. Implement network segmentation to isolate management interfaces
DETECTION RULES:
1. Monitor HTTP/HTTPS logs for POST requests to '/webauth_operation.php' from untrusted IPs
2. Alert on unexpected file creation events in Junos OS file system
3. Create SIEM rules for anomalous J-Web authentication bypass patterns
4. Deploy Suricata/Snort rule: alert http any any -> $JUNIPER_MGMT any (msg:'Juniper SRX J-Web Auth Bypass CVE-2023-36851'; content:'webauth_operation.php'; http_uri; sid:2023368510;)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية (خلال 24 ساعة):
1. تعطيل واجهة J-Web على جميع أجهزة SRX فوراً إذا لم تكن ضرورية: 'delete system services web-management'
2. تقييد الوصول إلى J-Web على نطاقات IP الإدارية الموثوقة فقط باستخدام مرشحات جدار الحماية
3. مراجعة جميع أجهزة SRX للكشف عن تعرض J-Web للإنترنت أو الشبكات غير الموثوقة
4. مراجعة السجلات الأخيرة للكشف عن طلبات مشبوهة إلى webauth_operation.php
إرشادات التصحيح:
1. الترقية إلى إصدارات Junos OS المُصححة: 20.4R3-S8 أو 21.2R3-S6 أو 21.4R3-S5 أو 22.4R3 أو 23.2R1 أو أحدث
2. تطبيق التصحيحات خلال نافذة الصيانة التالية بعد تطبيق الضوابط التعويضية الفورية
3. التحقق من سلامة التصحيح قبل النشر
الضوابط التعويضية:
1. تطبيق قوائم التحكم بالوصول لتقييد J-Web على شبكة VLAN الإدارية فقط
2. نشر قواعد WAF لحظر الطلبات إلى webauth_operation.php من المصادر غير الموثوقة
3. تفعيل توقيعات IPS لمحاولات استغلال Juniper J-Web
4. تطبيق تجزئة الشبكة لعزل واجهات الإدارة
قواعد الكشف:
1. مراقبة سجلات HTTP/HTTPS لطلبات POST إلى '/webauth_operation.php' من عناوين IP غير موثوقة
2. التنبيه على أحداث إنشاء ملفات غير متوقعة في نظام ملفات Junos OS
3. إنشاء قواعد SIEM لأنماط تجاوز مصادقة J-Web الشاذة
4. نشر قاعدة Suricata/Snort للكشف عن محاولات الاستغلال
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC-1-4-2: Cybersecurity requirements for network security and perimeter protection
ECC-2-3-1: Access control and authentication requirements for critical systems
ECC-2-5-1: Patch and vulnerability management requirements
ECC-2-6-1: Network security monitoring and logging requirements
ECC-3-3-2: Secure configuration management for network devices
🔵 SAMA CSF
Cybersecurity Operations — Vulnerability Management domain
Cybersecurity Operations — Threat and Incident Management domain
Cybersecurity Architecture — Network Security controls
Cybersecurity Governance — Risk Management framework
Identity and Access Management — Authentication controls
🟡 ISO 27001:2022
A.8.8 — Management of technical vulnerabilities
A.8.20 — Networks security and perimeter controls
A.8.22 — Segregation of networks
A.5.15 — Access control policy
A.8.5 — Secure authentication mechanisms
A.8.9 — Configuration management
🟣 PCI DSS v4.0
Requirement 6.3.3 — All system components protected from known vulnerabilities by patching
Requirement 1.3 — Network access controls between trusted and untrusted networks
Requirement 8.2 — User identification and authentication management
Requirement 6.4.1 — Web-facing applications protected against known attacks
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Juniper:Junos OS