Thousands of Juniper Devices Vulnerable to Unauthenticated RCE Flaw

An estimated 12,000 Juniper SRX firewalls and EX switches are vulnerable to a fileless remote code execution flaw that attackers can exploit without authentication. In August, Juniper disclosed numerous 'PHP environment variant manipulation' (CVE-2023-36844/CVE-2023-36845) and 'Missing Authentication for Critical Function' (CVE-2023-36846/CVE-2023-36847) vulnerabilities that by themselves only had a 'medium' severity rating of 5.3. However, when chained together, these vulnerabilities became a critical remote code execution flaw with a rating of 9.8. In a later technical report, watchTowr Labs released a PoC that chained the CVE-2023-36845 and CVE-2023-36846 flaws, allowing the researchers to remotely execute code by uploading two files to a vulnerable device. Today, VulnCheck vulnerability researcher Jacob Baines released another PoC exploit that only utilizes CVE-2023-36845, bypassing the need to upload files while still achieving remote code execution. As part of Baines' report, the researcher shared a free scanner on GitHub to help identify vulnerable deployments, showing thousands of vulnerable devices exposed on the internet.