Juniper PTX Routers Face Critical RCE via Junos OS Evolved Flaw

Vulnerability Overview

Juniper Networks has issued an out-of-band security advisory regarding a critical vulnerability affecting its PTX Series routers running Junos OS Evolved. According to SecurityWeek, the flaw is tracked as CVE-2024-21602 and carries a CVSS score of 9.8, indicating a critical severity level. The vulnerability allows an unauthenticated, network-based attacker to achieve remote code execution (RCE) by exploiting an issue in the Evolution Packet Forwarding Engine Daemon (evo-pfed).

Because PTX Series routers are high-capacity core platforms often deployed in service provider environments and large-scale data centers, a compromise at this level can lead to total network traffic interception, unauthorized redirection, or broad service disruption. The out-of-band nature of this update underscores the urgency for infrastructure teams to address the flaw before it is weaponized by threat actors.

Technical Analysis of CVE-2024-21602

The vulnerability resides in the cryptographic signature verification mechanism within the evo-pfed process. In the Junos OS Evolved architecture, this process is responsible for managing the forwarding plane and facilitating communication between the control plane and the hardware-specific components of the router.

An attacker can exploit this weakness by sending specially crafted packets to the device. The system fails to correctly validate the authenticity of these communications due to the signature verification flaw, allowing malicious instructions to be processed as legitimate control signals. Crucially, this exploit can be triggered over the network without requiring any prior authentication, valid credentials, or user interaction.

Affected Systems and Platforms

The flaw specifically impacts Junos OS Evolved on several PTX Series platforms. Juniper has confirmed that the following devices are vulnerable if running affected software versions:

• PTX10001-36MR
• PTX10003
• PTX10004
• PTX10008
• PTX10016

Standard Junos OS (non-Evolved) is not affected by this specific vulnerability. While the vulnerability was identified during internal security testing and there are currently no known instances of exploitation in the wild, the technical profile of the flaw makes it an attractive target for Advanced Persistent Threats (APTs) seeking to compromise backbone networking equipment.

Strategic Implications for Defenders

Core routing infrastructure is a high-value target for sophisticated adversaries because it provides a stealthy foothold for long-term persistence. By compromising a router at the operating system level, an attacker can bypass traditional host-based security controls, sniff unencrypted transit traffic, and facilitate lateral movement across both management and data planes.

The “critical” classification is justified by the role PTX routers play in global transit. A successful exploit could allow an adversary to establish a man-in-the-middle (MitM) position, potentially altering data flows or disrupting the availability of entire network segments. Given the scale of PTX deployments, the blast radius of a single compromised device is substantial.

Recommended Mitigations

Juniper Networks has released patched versions of Junos OS Evolved to address CVE-2024-21602. Organizations should prioritize updating to one of the following fixed releases:

• 21.2R3-S7-EVO
• 21.4R3-S5-EVO
• 22.2R3-S3-EVO
• 22.3R3-S2-EVO
• 22.4R3-EVO
• 23.2R2-EVO

In addition to immediate patching, security teams should implement the following hardening measures to reduce the attack surface:

1. Restrict Management Access: Ensure that management interfaces, including SSH and J-Web, are only accessible via a secure, out-of-band management network.
2. Control Plane Protection: Utilize firewall filters to strictly limit the types of traffic allowed to reach the Routing Engine (RE) from untrusted networks.
3. Logging and Monitoring: Monitor for unusual crashes or restarts of the evo-pfed process, which may serve as a leading indicator of exploit attempts or research activity by an adversary.