This vulnerability is being actively exploited in the wild.
A vulnerability allowing PHP external variable modification has been identified in Juniper Networks Junos OS, specifically on EX Series and SRX Series devices. This vulnerability allows an unauthenticated, network-based attacker to remotely execute code by manipulating the PHP execution environment. The issue arises from the J-Web component, where attackers can send crafted requests that modify important environment variables, particularly PHPRC. This modification enables the injection and execution of arbitrary code. The vulnerability affects all versions prior to 20.4R3-S9, as well as specific 21.x, 22.x, and 23.2 versions, with the exception of certain patched releases.
Exploitation of this vulnerability allows for unauthorized remote code execution on the affected device.
To reproduce this vulnerability, send a POST request to the device's J-Web interface with the PHPRC variable set to '/dev/fd/0'. Include the 'allow_url_include' parameter set to '1' and the 'auto_prepend_file' parameter with a data URL that contains a base64-encoded PHP payload. The server's response should indicate that the PHP environment variable manipulation was successful, confirming the vulnerability.
Users are advised to upgrade to Junos OS versions 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S2, 22.3R2-S2, 22.3R3-S1, 22.4R2-S1, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1, and all subsequent releases. For EX Series, the mentioned versions are available, while for SRX Series, the latest releases are 23.2R1-S1 and 23.2R2.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.
