CVE-2026-33774 (GCVE-0-2026-33774)
Vulnerability from cvelistv5
Published
2026-04-09 21:34
Modified
2026-04-10 14:14
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/AU:Y/R:U/RE:L
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/AU:Y/R:U/RE:L
VLAI Severity ?
EPSS score ?
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Summary
An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass the configured firewall filter and access the control-plane of the device.
On MX platforms with
MPC10, MPC11, LC4800 or LC9600
line cards, and MX304, firewall filters applied on a loopback interface lo0.n (where n is a non-0 number) don't get executed when lo0.n is in the global VRF / default routing-instance.
An affected configuration would be:
user@host# show configuration interfaces lo0 | display set
set interfaces lo0 unit 1 family inet filter input <filter-name>
where a firewall filter is applied to a non-0 loopback interface, but that loopback interface is not referred to in any routing-instance (RI) configuration, which implies that it's used in the default RI.
The issue can be observed with the CLI command:
user@device> show firewall counter filter <filter_name>
not showing any matches.
This issue affects Junos OS on MX Series:
* all versions before 23.2R2-S6,
* 23.4 versions before 23.4R2-S7,
* 24.2 versions before 24.2R2,
* 24.4 versions before 24.4R2.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Juniper Networks | Junos OS |
Version: 0 ≤ Version: 23.4 ≤ Version: 24.2 ≤ Version: 24.4 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33774",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T14:14:09.835711Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T14:14:24.774Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"MX Series"
],
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "23.2R2-S6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "23.4R2-S7",
"status": "affected",
"version": "23.4",
"versionType": "semver"
},
{
"lessThan": "24.2R2",
"status": "affected",
"version": "24.2",
"versionType": "semver"
},
{
"lessThan": "24.4R2",
"status": "affected",
"version": "24.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-04-08T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass the configured firewall filter and access the control-plane of the device.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOn MX platforms with \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMPC10, MPC11, LC4800 or LC9600\u003c/span\u003e\n\nline cards, and MX304, firewall filters applied on a loopback interface lo0.n (where n is a non-0 number) don\u0027t get executed when lo0.n is in the global VRF / default routing-instance.\u003cbr\u003e\u003cbr\u003e An affected configuration would be:\u003cbr\u003e\u003c/span\u003e\u003ctt\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cbr\u003euser@host# show configuration interfaces lo0 | display set\u003cbr\u003eset interfaces lo0 unit 1 family inet filter input \u0026lt;filter-name\u0026gt;\u003c/span\u003e\u003c/tt\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cbr\u003e\u003cbr\u003ewhere a firewall filter is applied to a non-0 loopback interface, but that loopback interface is not referred to in any routing-instance (RI) configuration, which implies that it\u0027s used in the default RI.\u003cbr\u003e\u003cbr\u003eThe issue can be observed with the CLI command:\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003ctt\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003euser@device\u0026gt; show firewall counter filter \u0026lt;filter_name\u0026gt;\u003c/span\u003e\u003c/tt\u003e \u003cbr\u003e\u003cbr\u003enot showing any matches.\u003cbr\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Junos OS on MX Series:\u003c/p\u003e\u003cul\u003e\u003cli\u003eall versions before 23.2R2-S6,\u003c/li\u003e\u003cli\u003e23.4 versions before 23.4R2-S7,\u003c/li\u003e\u003cli\u003e24.2 versions before 24.2R2,\u003c/li\u003e\u003cli\u003e24.4 versions before 24.4R2.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass the configured firewall filter and access the control-plane of the device.\n\nOn MX platforms with \n\nMPC10, MPC11, LC4800 or LC9600\n\nline cards, and MX304, firewall filters applied on a loopback interface lo0.n (where n is a non-0 number) don\u0027t get executed when lo0.n is in the global VRF / default routing-instance.\n\n An affected configuration would be:\n\nuser@host# show configuration interfaces lo0 | display set\nset interfaces lo0 unit 1 family inet filter input \u003cfilter-name\u003e\n\nwhere a firewall filter is applied to a non-0 loopback interface, but that loopback interface is not referred to in any routing-instance (RI) configuration, which implies that it\u0027s used in the default RI.\n\nThe issue can be observed with the CLI command:\n\nuser@device\u003e show firewall counter filter \u003cfilter_name\u003e \n\nnot showing any matches.\n\nThis issue affects Junos OS on MX Series:\n\n * all versions before 23.2R2-S6,\n * 23.4 versions before 23.4R2-S7,\n * 24.2 versions before 24.2R2,\n * 24.4 versions before 24.4R2."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/AU:Y/R:U/RE:L",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T21:34:21.126Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://kb.juniper.net/JSA107865"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue: 23.2R2-S6, 23.4R2-S7, 24.2R2, 24.4R2, 25.2R1, and all subsequent releases."
}
],
"value": "The following software releases have been updated to resolve this specific issue: 23.2R2-S6, 23.4R2-S7, 24.2R2, 24.4R2, 25.2R1, and all subsequent releases."
}
],
"source": {
"advisory": "JSA107865",
"defect": [
"1855648"
],
"discovery": "USER"
},
"title": "Junos OS: MX Series: Firewall filters on lo0.\u003cnon-0\u003e in the default routing instance are not in effect",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eRenaming the lo0 logical unit used in the default routing instance from non-0 to 0 resolves this issue.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Renaming the lo0 logical unit used in the default routing instance from non-0 to 0 resolves this issue."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2026-33774",
"datePublished": "2026-04-09T21:34:21.126Z",
"dateReserved": "2026-03-23T19:46:13.668Z",
"dateUpdated": "2026-04-10T14:14:24.774Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33774\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-10T14:14:09.835711Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-10T14:14:16.212Z\"}}], \"cna\": {\"title\": \"Junos OS: MX Series: Firewall filters on lo0.\u003cnon-0\u003e in the default routing instance are not in effect\", \"source\": {\"defect\": [\"1855648\"], \"advisory\": \"JSA107865\", \"discovery\": \"USER\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"USER\", \"baseScore\": 6.9, \"Automatable\": \"YES\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/AU:Y/R:U/RE:L\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Juniper Networks\", \"product\": \"Junos OS\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"23.2R2-S6\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"23.4\", \"lessThan\": \"23.4R2-S7\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"24.2\", \"lessThan\": \"24.2R2\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"24.4\", \"lessThan\": \"24.4R2\", \"versionType\": \"semver\"}], \"platforms\": [\"MX Series\"], \"defaultStatus\": \"unaffected\"}], \"exploits\": [{\"lang\": \"en\", \"value\": \"Juniper SIRT is not aware of any malicious exploitation of this vulnerability.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Juniper SIRT is not aware of any malicious exploitation of this vulnerability.\", \"base64\": false}]}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The following software releases have been updated to resolve this specific issue: 23.2R2-S6, 23.4R2-S7, 24.2R2, 24.4R2, 25.2R1, and all subsequent releases.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The following software releases have been updated to resolve this specific issue: 23.2R2-S6, 23.4R2-S7, 24.2R2, 24.4R2, 25.2R1, and all subsequent releases.\", \"base64\": false}]}], \"datePublic\": \"2026-04-08T16:00:00.000Z\", \"references\": [{\"url\": \"https://kb.juniper.net/JSA107865\", \"tags\": [\"vendor-advisory\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Renaming the lo0 logical unit used in the default routing instance from non-0 to 0 resolves this issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eRenaming the lo0 logical unit used in the default routing instance from non-0 to 0 resolves this issue.\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass the configured firewall filter and access the control-plane of the device.\\n\\nOn MX platforms with \\n\\nMPC10, MPC11, LC4800 or LC9600\\n\\nline cards, and MX304, firewall filters applied on a loopback interface lo0.n (where n is a non-0 number) don\u0027t get executed when lo0.n is in the global VRF / default routing-instance.\\n\\n An affected configuration would be:\\n\\nuser@host# show configuration interfaces lo0 | display set\\nset interfaces lo0 unit 1 family inet filter input \u003cfilter-name\u003e\\n\\nwhere a firewall filter is applied to a non-0 loopback interface, but that loopback interface is not referred to in any routing-instance (RI) configuration, which implies that it\u0027s used in the default RI.\\n\\nThe issue can be observed with the CLI command:\\n\\nuser@device\u003e show firewall counter filter \u003cfilter_name\u003e \\n\\nnot showing any matches.\\n\\nThis issue affects Junos OS on MX Series:\\n\\n * all versions before 23.2R2-S6,\\n * 23.4 versions before 23.4R2-S7,\\n * 24.2 versions before 24.2R2,\\n * 24.4 versions before 24.4R2.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass the configured firewall filter and access the control-plane of the device.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eOn MX platforms with \\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eMPC10, MPC11, LC4800 or LC9600\u003c/span\u003e\\n\\nline cards, and MX304, firewall filters applied on a loopback interface lo0.n (where n is a non-0 number) don\u0027t get executed when lo0.n is in the global VRF / default routing-instance.\u003cbr\u003e\u003cbr\u003e An affected configuration would be:\u003cbr\u003e\u003c/span\u003e\u003ctt\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u003cbr\u003euser@host# show configuration interfaces lo0 | display set\u003cbr\u003eset interfaces lo0 unit 1 family inet filter input \u0026lt;filter-name\u0026gt;\u003c/span\u003e\u003c/tt\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u003cbr\u003e\u003cbr\u003ewhere a firewall filter is applied to a non-0 loopback interface, but that loopback interface is not referred to in any routing-instance (RI) configuration, which implies that it\u0027s used in the default RI.\u003cbr\u003e\u003cbr\u003eThe issue can be observed with the CLI command:\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003ctt\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003euser@device\u0026gt; show firewall counter filter \u0026lt;filter_name\u0026gt;\u003c/span\u003e\u003c/tt\u003e \u003cbr\u003e\u003cbr\u003enot showing any matches.\u003cbr\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Junos OS on MX Series:\u003c/p\u003e\u003cul\u003e\u003cli\u003eall versions before 23.2R2-S6,\u003c/li\u003e\u003cli\u003e23.4 versions before 23.4R2-S7,\u003c/li\u003e\u003cli\u003e24.2 versions before 24.2R2,\u003c/li\u003e\u003cli\u003e24.4 versions before 24.4R2.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-754\", \"description\": \"CWE-754 Improper Check for Unusual or Exceptional Conditions\"}]}], \"providerMetadata\": {\"orgId\": \"8cbe9d5a-a066-4c94-8978-4b15efeae968\", \"shortName\": \"juniper\", \"dateUpdated\": \"2026-04-09T21:34:21.126Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33774\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-10T14:14:24.774Z\", \"dateReserved\": \"2026-03-23T19:46:13.668Z\", \"assignerOrgId\": \"8cbe9d5a-a066-4c94-8978-4b15efeae968\", \"datePublished\": \"2026-04-09T21:34:21.126Z\", \"assignerShortName\": \"juniper\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…