Skip to main content
Need help with a cyber incident now?
Call 24/7: +31 88-2747800

Junos J-Web vulnerabilities

By 31 October 2022 CERT, SOC, Vulnerability
Juniper kwetsbaarheid

This live blog contains information regarding the Junos J-Web vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on October 31, 2022.

Update October 31, 2022

17:30 | On the 12th of October 2022, Juniper Networks published a security bulletin describing six different vulnerabilities in the J-Web interface of Juniper Networks Junos. The most severe vulnerability allows an unauthenticated remote attacker to execute arbitrary code. Last week Friday on the 28th of October 2022, research company Octagon Networks has published more details regarding the six vulnerabilities.

Currently, no public exploit code is available and there are no reports on exploitation of the vulnerabilities in the wild. However, with the details provided by the blog of Octagon Networks, it is likely that exploits will be developed.

Juniper Networks has published security updates and workarounds to mitigate the vulnerabilities in Junos. It is highly recommended to apply these updates or workarounds.

Reason and background of this blog

This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.

Potential Risk

The most severe vulnerability allows an unauthenticated remote attacker to execute arbitrary code. Additionally, several of the other vulnerabilities might be combined to increase chance and the impact of exploitation.

Currently, there are no reports on exploitation in the wild and there is no publicly available proof-of-concept code for any of the six vulnerabilities. Although, this might change based on the details published in the blog by Octagon Networks.

Detail info

Juniper Networks published six vulnerabilities in the J-Web interface of Juniper Networks Junos in its security bulletin. Octagon Networks has analysed and described all six vulnerabilities and developed proof-of-concept exploit code, which they have decided not to publish yet.

An overview of the vulnerabilities can be found in the table below.

CVE Description CVE published CVSS V3 score EPSS Score EPSS Percentile
CVE-2022-22241 Remote pre-authenticated Phar Deserialization to RCE 2022-10-18 9,8 0,00885 0,26763
CVE-2022-22242 Pre-authenticated reflected XSS on the error page. 2022-10-18 6,1 0,00885 0,26763
CVE-2022-22243 XPATH Injection in jsdm/ajax/wizards/setup/setup.php 2022-10-18 4,3 0,00885 0,26763
CVE-2022-22244 XPATH Injection in send_raw() method 2022-10-18 5,3 0,00885 0,26763
CVE-2022-22245 Path traversal during file upload leads to RCE 2022-10-18 4,3 0,00885 0,26763
CVE-2022-22246 PHP file include /jrest.php 2022-10-18 8,8 0,00885 0,26763

Table 1 – CVE details information on the 31st of October 2022

The current EPSS scores show a low chance of exploitation. However, this is expected to change based on the blog of Octagon Networks and the development of public proof-of-concept code. Additionally, several vulnerabilities might be combined, increasing the likelihood and impact of exploitation.

Juniper Networks published software patches and two possible workarounds. It is strongly advised to upgrade to one of the following software versions, in which the vulnerabilities are solved:

  • 19.1 – 19.1R3-S9 or later;
  • 19.2 – 19.2R3-S6 or later;
  • 19.3 – 19.3R3-S7 or later;
  • 19.4 – 19.4R3-S9 or later;
  • 20.1 – 20.1R3-S5 or later;
  • 20.2 – 20.2R3-S5 or later;
  • 20.3 – 20.3R3-S5 or later;
  • 20.4 – 20.4R3-S4 or later;
  • 21.1 – 21.1R3-S2 or later;
  • 21.2 – 21.2R3-S1 or later;
  • 21.3 – 21.3R3 or later;
  • 21.4 – 21.4R3 or later;
  • 22.1 – 22.1R2 or later;
  • 22.2 – 22.2R1 or later.


Do you want to be informed in time? Sign up for our technical updates

Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.

Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.