CVE-2026-33785
Missing Authorization in Junos OS MX CLI Enables Full Device Compromise
Publication date: 2026-04-09
Last updated on: 2026-04-17
Assigner: Juniper Networks, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| juniper | junos | 24.4 |
| juniper | junos | 24.4 |
| juniper | junos | 24.4 |
| juniper | junos | 24.4 |
| juniper | junos | 24.4 |
| juniper | junos | 24.4 |
| juniper | junos | 25.2 |
| juniper | junos | 25.2 |
| juniper | junos | 25.2 |
| juniper | junos | 25.2 |
| juniper | junos | 24.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Missing Authorization issue in the command-line interface (CLI) of Juniper Networks Junos OS on MX Series devices. It allows a local, authenticated user with low privileges to execute specific commands that should only be available to high-privileged users or those designated for Juniper Device Manager (JDM) or Connected Security Distributed Services (CSDS) operations.
Specifically, any logged-in user can issue the 'request csds' CLI operational commands without requiring the necessary privileges. These commands can impact all aspects of the devices managed via the MX Series, potentially leading to a complete compromise of the managed devices.
How can this vulnerability impact me? :
The vulnerability can lead to a complete compromise of managed devices running Junos OS on MX Series. Since low-privileged users can execute powerful commands without proper authorization, attackers could manipulate device operations, potentially disrupting network services, accessing sensitive configurations, or causing denial of service.