Skip to content
Threat Feed
critical advisory

Juniper Networks J-Web Remote Code Execution Vulnerability Exploitation

Exploitation attempts targeting Juniper Networks J-Web interface via the webauth_operation.php endpoint to achieve remote code execution.

Juniper Networks devices, specifically those using the J-Web interface, are susceptible to remote code execution vulnerabilities. These vulnerabilities, including CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847, allow attackers to execute arbitrary code on affected systems. The primary attack vector involves sending malicious requests to the /webauth_operation.php endpoint with manipulated PHPRC parameters. Successful exploitation grants the attacker unauthorized access, potentially leading to data theft, network compromise, and complete system control. Exploitation attempts have been observed targeting vulnerable Juniper SRX and EX series devices. Publicly available exploit code exists, increasing the likelihood of widespread exploitation.

Attack Chain

  1. The attacker identifies a vulnerable Juniper Networks device running J-Web.
  2. The attacker crafts a malicious HTTP POST request targeting the /webauth_operation.php endpoint.
  3. The request includes a PHPRC parameter containing PHP code designed to execute commands on the server.
  4. The vulnerable J-Web interface processes the request without proper sanitization.
  5. The attacker's PHP code executes with the privileges of the web server process.
  6. The attacker establishes a reverse shell connection to an external server using nc or bash -i.
  7. The attacker uses the reverse shell to execute commands, enumerate the system, and escalate privileges.
  8. The attacker installs a persistent backdoor, exfiltrates sensitive data, and pivots to other internal systems.

Impact

Successful exploitation of these vulnerabilities allows attackers to gain complete control over Juniper Networks devices. This can lead to data theft, network outages, and further compromise of internal networks. The vulnerabilities affect a wide range of Juniper SRX and EX series devices, potentially impacting numerous organizations. If successful, attackers can deploy ransomware, steal intellectual property, or disrupt critical network services.

Recommendation

  • Deploy the Sigma rules provided in this brief to your SIEM to detect exploitation attempts (rules: "Juniper J-Web RCE via webauth_operation.php" and "Juniper J-Web RCE Reverse Shell").
  • Inspect web server logs for requests to /webauth_operation.php?PHPRC=* (IOC: url: /webauth_operation.php?PHPRC=*) and investigate any matches.
  • Monitor for outbound network connections from Juniper devices to unusual or suspicious IP addresses, which may indicate a reverse shell (rule: "Juniper J-Web RCE Reverse Shell").
  • Patch CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847 on all affected Juniper devices immediately.

Detection coverage 3

Juniper J-Web RCE via webauth_operation.php

critical

Detects attempts to exploit the Juniper J-Web RCE vulnerability by monitoring requests to the webauth_operation.php endpoint with a PHPRC parameter.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Juniper J-Web RCE Reverse Shell

high

Detects potential reverse shell connections initiated from a Juniper J-Web server after successful RCE exploitation.

sigma tactics: command_and_control techniques: T1071.001, T1105 sources: network_connection, firewall

Juniper J-Web Suspicious PHP Upload

medium

Detects a suspicious attempt to upload PHP files to Juniper J-Web server.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Detection queries are available on the platform. Get full rules →