CVE-2026-33791
OS Command Injection in Juniper Junos CLI Allows Root Takeover
Publication date: 2026-04-09
Last updated on: 2026-04-22
Assigner: Juniper Networks, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| juniper | junos | 22.4 |
| juniper | junos | 22.4 |
| juniper | junos | 22.4 |
| juniper | junos | 22.4 |
| juniper | junos | 23.2 |
| juniper | junos | 22.4 |
| juniper | junos | 23.2 |
| juniper | junos | 22.4 |
| juniper | junos | 22.4 |
| juniper | junos | 22.4 |
| juniper | junos | 23.2 |
| juniper | junos | 23.2 |
| juniper | junos | 23.4 |
| juniper | junos | 23.4 |
| juniper | junos | 22.4 |
| juniper | junos | 22.4 |
| juniper | junos | 23.4 |
| juniper | junos | 23.2 |
| juniper | junos | 24.2 |
| juniper | junos | 24.2 |
| juniper | junos | 23.4 |
| juniper | junos | 22.4 |
| juniper | junos | 22.4 |
| juniper | junos | 22.4 |
| juniper | junos | 23.2 |
| juniper | junos | 23.2 |
| juniper | junos | 23.4 |
| juniper | junos | 23.4 |
| juniper | junos | 23.4 |
| juniper | junos | 23.4 |
| juniper | junos | 24.2 |
| juniper | junos | 24.2 |
| juniper | junos | to 22.4 (exc) |
| juniper | junos | 22.4 |
| juniper | junos | 22.4 |
| juniper | junos | 23.2 |
| juniper | junos | 23.2 |
| juniper | junos | 23.4 |
| juniper | junos | 24.2 |
| juniper | junos | 24.4 |
| juniper | junos | 24.4 |
| juniper | junos | 24.4 |
| juniper | junos | 24.4 |
| juniper | junos | 24.2 |
| juniper | junos | 23.4 |
| juniper | junos | 25.2 |
| juniper | junos | 25.2 |
| juniper | junos | 25.2 |
| juniper | junos | 25.2 |
| juniper | junos | 23.4 |
| juniper | junos_os_evolved | 22.4 |
| juniper | junos_os_evolved | 22.4 |
| juniper | junos_os_evolved | 22.4 |
| juniper | junos_os_evolved | 22.4 |
| juniper | junos_os_evolved | 23.2 |
| juniper | junos_os_evolved | 23.2 |
| juniper | junos_os_evolved | 23.2 |
| juniper | junos_os_evolved | 22.4 |
| juniper | junos_os_evolved | 22.4 |
| juniper | junos_os_evolved | 22.4 |
| juniper | junos_os_evolved | 23.2 |
| juniper | junos_os_evolved | 23.2 |
| juniper | junos_os_evolved | 23.2 |
| juniper | junos_os_evolved | 22.4 |
| juniper | junos_os_evolved | 24.2 |
| juniper | junos_os_evolved | 24.2 |
| juniper | junos_os_evolved | 23.4 |
| juniper | junos_os_evolved | 23.4 |
| juniper | junos_os_evolved | 23.4 |
| juniper | junos_os_evolved | 23.2 |
| juniper | junos_os_evolved | 22.4 |
| juniper | junos_os_evolved | 22.4 |
| juniper | junos_os_evolved | to 22.4 (exc) |
| juniper | junos_os_evolved | 23.4 |
| juniper | junos_os_evolved | 23.4 |
| juniper | junos_os_evolved | 22.4 |
| juniper | junos_os_evolved | 22.4 |
| juniper | junos_os_evolved | 22.4 |
| juniper | junos_os_evolved | 22.4 |
| juniper | junos_os_evolved | 22.4 |
| juniper | junos_os_evolved | 23.2 |
| juniper | junos_os_evolved | 23.2 |
| juniper | junos_os_evolved | 23.4 |
| juniper | junos_os_evolved | 23.4 |
| juniper | junos_os_evolved | 23.4 |
| juniper | junos_os_evolved | 23.4 |
| juniper | junos_os_evolved | 23.4 |
| juniper | junos_os_evolved | 24.2 |
| juniper | junos_os_evolved | 24.2 |
| juniper | junos_os_evolved | 24.2 |
| juniper | junos_os_evolved | 24.4 |
| juniper | junos_os_evolved | 24.4 |
| juniper | junos_os_evolved | 24.4 |
| juniper | junos_os_evolved | 24.4 |
| juniper | junos_os_evolved | 25.2 |
| juniper | junos_os_evolved | 25.2 |
| juniper | junos_os_evolved | 25.2 |
| juniper | junos_os_evolved | 23.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a local, high-privileged attacker to execute arbitrary shell commands as root, leading to a complete compromise of the system.
Such a compromise could potentially lead to unauthorized access, modification, or destruction of sensitive data, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of data confidentiality, integrity, and availability.
However, the provided information does not explicitly describe the direct effects on compliance with these standards.
Can you explain this vulnerability to me?
This vulnerability is an OS Command Injection issue in the CLI processing of Juniper Networks Junos OS and Junos OS Evolved. It allows a local attacker with high privileges to execute specially crafted CLI commands that inject arbitrary shell commands running as root.
Specifically, certain 'set system' commands do not properly sanitize input arguments, enabling the attacker to execute arbitrary shell commands with root privileges, potentially leading to full system compromise.
How can this vulnerability impact me? :
The impact of this vulnerability is severe because it allows a local, high-privileged attacker to execute arbitrary commands as root on the affected system.
This can lead to a complete compromise of the system, including unauthorized access, modification, or destruction of data, disruption of services, and potential use of the system as a foothold for further attacks.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade your Junos OS or Junos OS Evolved to a fixed version that addresses the issue.
- For Junos OS, upgrade to versions 22.4R3-S8 or later, 23.2R2-S5 or later, 23.4R2-S7 or later, 24.2R2-S2 or later, 24.4R2 or later, or 25.2R2 or later.
- For Junos OS Evolved, upgrade to versions 22.4R3-S8-EVO or later, 23.2R2-S5-EVO or later, 23.4R2-S7-EVO or later, 24.2R2-S2-EVO or later, 24.4R2-EVO or later, or 25.2R1-S1-EVO / 25.2R2-EVO or later.
These upgrades ensure that the CLI processing properly sanitizes 'set system' commands to prevent arbitrary shell command injection.