CVE-2026-57028
Undergoing Analysis Undergoing Analysis - In Progress

Improper Network Channel Restriction in Junos OS Evolved Leads to License Exhaustion

Vulnerability report for CVE-2026-57028, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: Juniper Networks, Inc.

Description

An Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause license exhaustion. Due to an incorrect initialization, a process which should only be able to communicate internally within the device, can be reached over the network via an open port. This leads to unauthorized access to the license management. This issue affects all Junos OS Evolved versions before 23.2R2-EVO.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
juniper_networks junos_os_evolved to 23.2R2-EVO (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-923 The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

The vulnerability can be exploited by an unauthenticated network attacker to cause license exhaustion on affected devices. This means the attacker can disrupt the normal licensing functionality, potentially leading to denial of service or loss of access to licensed features.

Executive Summary

This vulnerability is an Improper Restriction of Communication Channel to Intended Endpoints in Juniper Networks Junos OS Evolved. It allows an unauthenticated attacker on the network to access a process that should only communicate internally within the device. Due to incorrect initialization, this internal process is exposed via an open network port, leading to unauthorized access to the license management system.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57028. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart