Hackers are already exploiting the critical vulnerability CVE-2026-21902 in Juniper PTX routers, which allows full control over network equipment without authentication. The vulnerability was disclosed at the end of February, and the first hacking attempts were recorded on March 15.

Juniper disclosed a critical remote code execution (RCE) vulnerability in the Junos OS Evolved operating system for PTX series routers. The CVSS criticality rating is 9.8 out of 10. Although there has not yet been a widespread distribution of exploits, the threat concerns telecommunications operators and data centers around the world, including organizations in Central Asia.

What happened: CVE-2026-21902 vulnerability in Juniper PTX

Juniper released an emergency patch at the end of February 2026 for the critical vulnerability CVE-2026-21902 in the PTX series routers. The vulnerability allows attackers to execute arbitrary code on the device without the need for authentication. The CVSS criticality rating is 9.8, indicating the maximum level of danger.

Initially, there were no signs of active exploitation when the vulnerability was disclosed. However, security researchers quickly developed a working exploit demonstrating the ability to quickly transition from disclosure to creating a combat tool. By March 15, 2026, the Shadowserver monitoring service recorded potential exploitation attempts of CVE-2026-21902, and the vulnerability was added to the Known Exploited Vulnerabilities (KEV) database by VulnCheck.

Juniper PTX routers are high-performance devices used in backbone-level telecommunications networks and data center interconnects. Although these devices are typically not accessible from the outside, they represent a critical component of the infrastructure for technology and communications organizations.

Who is behind the attacks: Connection to state-sponsored hackers

Analysts link the interest in Juniper router vulnerabilities to the activities of state-sponsored hacking groups. The most well-known of these is Salt Typhoon, linked to China, which is responsible for global hacks on multiple telecommunications networks for intelligence gathering and espionage. Another Chinese group, UNC3886, also specializes in attacks on Juniper routers, albeit on older versions of the Junos operating system.

The CVE-2026-21902 vulnerability is of particular interest to state actors as it allows access to critical network equipment during long-term espionage operations. Potential targets include intercepting and analyzing traffic, managing data flows, or even preparing for future destructive operations on critical communication lines. Unlike vulnerabilities in external services, this threat is not aimed at widespread distribution but at targeted operations against strategically important infrastructure.

Risk to Telecommunications and Data Centers

Juniper PTX routers are used in critical infrastructure that ensures the functioning of the internet and telecommunications networks. Compromise of this equipment can lead to the interception of confidential information, data integrity breaches, or complete service outages at the regional level.

For organizations operating such infrastructure, this poses a serious threat. Although widespread exploitation has not yet been observed, the combination of the vulnerability's criticality, the availability of working exploits, and the interest of state actors creates a high level of risk. Companies using Juniper PTX routers should consider this vulnerability as a priority threat to their infrastructure.

For organizations in Kazakhstan and Central Asia that rely on international telecommunications channels and cloud services, compromising such devices can have serious consequences. Telecommunications operators and data center providers should immediately check for vulnerable equipment in their networks.

Recommendations for Protection Against CVE-2026-21902

Juniper recommends immediately applying the patch for CVE-2026-21902 on all affected devices. If applying the patch is not possible in the short term, the company suggests disabling the anomalies service via the command'request pfe anomalies disable' if this service is not critical for operations.

Additional security measures include restricting network access to vulnerable devices to only known and trusted networks and systems. Organizations should also enhance traffic monitoring to PTX routers and implement intrusion detection systems to detect exploitation attempts.

Companies like Alashed IT (it.alashed.kz) can help organizations in Kazakhstan audit their infrastructure, identify vulnerable equipment, and develop a plan for applying patches and implementing additional security measures. Timely response to this threat is critical for protecting national telecommunications infrastructure.

Context: Growing Threat from State-Sponsored Hackers

CVE-2026-21902 is part of a broader trend where state-sponsored hacking groups increasingly target critical infrastructure. March 2026 has seen a significant increase in cyberattacks linked to geopolitical conflicts. Iranian groups have attacked the medical company Stryker, Chinese actors continue operations against telecommunications networks, and European and American security agencies warn of a growing threat from various state actors.

In this context, the vulnerability in Juniper routers takes on even greater significance. State actors use such vulnerabilities not for mass theft but for long-term positioning in the critical infrastructure of their adversaries. This allows them to gather intelligence, prepare platforms for future operations, or demonstrate their capabilities during conflicts.

For organizations in Central Asia, this means the need to increase cybersecurity and more actively monitor their infrastructure. Regional telecommunications operators and providers must consider protection against state actors as a priority task, not just protection against ordinary cybercrime.

Что это значит для Казахстана

For Kazakhstan and Central Asian countries, the CVE-2026-21902 vulnerability poses a direct threat to national telecommunications infrastructure. Juniper PTX routers are used by major telecommunications operators in the region to provide international communication channels and in-house backbones. Compromise of such equipment can lead to the interception of data from Kazakhstani users, disruption of critical services, and even complete internet outages at the regional level. Kazakhstani telecommunications companies, such as Kazakhtelecom and Beeline Kazakhstan, must immediately check for vulnerable equipment in their networks and apply patches. The Agency for Protection and Development of Competition of Kazakhstan should issue recommendations for telecommunications operators to protect against this threat. Organizations working with cloud services and international communication channels are also at risk, as their traffic may pass through compromised equipment.

The CVE-2026-21902 vulnerability in Juniper PTX routers has a CVSS criticality rating of 9.8 and has already been exploited by hackers since March 15, 2026.

The CVE-2026-21902 vulnerability in Juniper PTX routers poses a serious threat to the telecommunications infrastructure of Kazakhstan and Central Asia. Although widespread exploitation has not yet been observed, the availability of working exploits and the interest of state-sponsored hacking groups make this threat critical. Organizations need to immediately apply Juniper patches and enhance their infrastructure monitoring. Delay in response can lead to the compromise of critical equipment and serious consequences for national security and the economy of the region.

Часто задаваемые вопросы

What is CVE-2026-21902 and why is it dangerous?

CVE-2026-21902 is a critical remote code execution vulnerability in Juniper PTX routers with a CVSS rating of 9.8. It allows attackers to gain full control over the device without the need for authentication. Juniper PTX routers are used in the critical infrastructure of telecommunications networks and data centers, so their compromise can lead to data interception, service disruptions, or complete internet outages at the regional level.

Who is already exploiting this vulnerability?

According to Shadowserver monitoring, the first exploitation attempts of CVE-2026-21902 were recorded on March 15, 2026. Analysts link the interest in this vulnerability to the activities of state-sponsored hacking groups, particularly the Chinese group Salt Typhoon, which specializes in attacks on telecommunications networks. Although widespread exploitation has not yet been observed, the threat comes from targeted operations by state actors.

Which organizations are at risk?

At risk are telecommunications operators, data center providers, and large technology companies using Juniper PTX routers. In Kazakhstan, this includes telecommunications operators such as Kazakhtelecom and Beeline Kazakhstan, as well as organizations relying on international communication channels. Compromise of such equipment can lead to the interception of confidential information and disruption of critical services.

What should organizations do to protect themselves?

Juniper recommends immediately applying the patch for CVE-2026-21902 on all affected devices. If applying the patch is not possible in the short term, the anomalies service should be disabled via the command'request pfe anomalies disable'. Additionally, network access to vulnerable devices should be restricted to only known trusted networks, and traffic monitoring should be enhanced.

How does this affect Kazakhstan and Central Asia?

For Kazakhstan and Central Asian countries, this vulnerability poses a direct threat to national telecommunications infrastructure. Juniper PTX routers are used by major telecommunications operators in the region to provide international channels and in-house backbones. Compromise of such equipment can lead to the interception of data from Kazakhstani users and disruption of critical services at the regional level.

Читайте также

Источники

Источник фото: proarch.com