CVE-2023-36847

MEDIUM KEV RANSOMWARE

Juniper Networks Junos OS - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-36847 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 13, 2023, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-36847, which chains multiple Juniper JunOS vulnerabilities to achieve remote code execution. The exploit uploads a malicious PHP file and an INI file to execute arbitrary PHP code on the target system.

Description

A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to installAppPackage.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on EX Series: * All versions prior to 20.4R3-S8; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S4; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S1; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3.

Exploits (2)

vulncheck_xdb WORKING POC
remote
https://github.com/r3dcl1ff/CVE-2023-36844_Juniper_RCE

This repository contains a functional exploit for CVE-2023-36847, which chains multiple Juniper JunOS vulnerabilities to achieve remote code execution. The exploit uploads a malicious PHP file and an INI file to execute arbitrary PHP code on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Juniper JunOS (SRX and EX Series)
No auth needed
Prerequisites: Target must be running vulnerable Juniper JunOS · Network access to the target system
devstral-2 · analyzed Feb 25, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844

This repository contains a functional exploit PoC for chaining CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847 to achieve remote code execution on Juniper JunOS SRX and EX Series devices. The exploit leverages a pre-authentication file upload vulnerability to upload a malicious PHP file and a configuration file, then executes arbitrary PHP code by manipulating the PHPRC environment variable.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Juniper JunOS (SRX and EX Series)
No auth needed
Prerequisites: Network access to the target device · J-Web interface exposed
devstral-2 · analyzed Feb 25, 2026 Full analysis →

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory mitigation
https://supportportal.juniper.net/JSA72300

Scores

CVSS v3 5.3
EPSS 0.9387
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2023-11-13
VulnCheck KEV 2023-08-29
InTheWild.io 2023-11-08
ENISA EUVD EUVD-2023-40767
Ransomware Use Confirmed
CWE
CWE-306
Status published
Products (4)
juniper/junos 20.4 (14 CPE variants)
juniper/junos 21.1 r1 (11 CPE variants)
juniper/junos 21.2 (13 CPE variants)
juniper/junos 21.3 (12 CPE variants)
Published Aug 17, 2023
KEV Added Nov 13, 2023
Tracked Since Feb 18, 2026