CVE-2015-7755

What Is Juniper ScreenOS?

Juniper Networks' ScreenOS is the operating system that runs Juniper's NetScreen line of network security appliances — enterprise and government firewalls and VPN concentrators widely deployed in data centers, government networks, and critical infrastructure environments. NetScreen devices provide network perimeter security and encrypted VPN tunnels for remote access, making them a high-value target: compromising a network firewall provides a privileged position to monitor, intercept, or manipulate network traffic.

Juniper is one of the world's largest networking equipment vendors; NetScreen devices were particularly prevalent in U.S. government, defense, and intelligence community networks.

Overview

CVE-2015-7755 is one of the most significant supply chain security events in networking history. In December 2015, Juniper Networks disclosed that unauthorized code had been inserted into ScreenOS — a hardcoded master password that allowed anyone who knew it to log into any affected NetScreen device via SSH or Telnet with full administrator access, regardless of the configured credentials. Juniper released patched versions on December 17, 2015 and urged immediate upgrade. The origin of the unauthorized code — widely suspected to involve nation-state actors — was never officially attributed. A companion vulnerability, CVE-2015-7756, allowed passive decryption of ScreenOS VPN traffic. CISA added CVE-2015-7755 to the KEV catalog in October 2025, a full decade after disclosure.

Affected Versions

Earlier and later ScreenOS versions were not affected. All NetScreen hardware running affected ScreenOS versions is vulnerable.

Technical Details

Root Cause: Hardcoded Backdoor Authentication

CVE-2015-7755 is an improper authentication vulnerability (CWE-287) in Juniper ScreenOS caused by the insertion of unauthorized code that implements a hardcoded master password. The backdoor works at the SSH and Telnet login authentication layer:

During authentication, ScreenOS checks whether the presented password matches a known value. The unauthorized code added a secondary check: if the password matches a hardcoded string, authentication succeeds regardless of which username was provided and regardless of the device's configured administrator credentials.

The backdoor password identified by security researchers was:

<<< %s(un='%s') = %u

This string is formatted to resemble a debug format string — a common obfuscation technique to make backdoor code appear to be a debug or logging artifact. Anyone who knew this string could log into any vulnerable NetScreen device as administrator.

Companion VPN Decryption Backdoor

CVE-2015-7756 (the companion CVE disclosed simultaneously) is a separate unauthorized modification to ScreenOS's random number generator used in VPN key generation. This modification weakened the cryptographic randomness in a way that allowed a passive eavesdropper with the right capabilities to decrypt intercepted VPN traffic — even without knowledge of the device's VPN keys. The combination of CVE-2015-7755 (device access) and CVE-2015-7756 (traffic decryption) provided comprehensive access to both the device and its encrypted traffic.

Origin and Attribution

Juniper stated that the unauthorized code was not introduced by Juniper employees. The security community's analysis produced two primary hypotheses:

1. NSA-then-modified theory: Evidence suggests the VPN decryption backdoor (CVE-2015-7756) used the Dual EC DRBG random number generator algorithm — the same algorithm the NSA is known to have backdoored for its own surveillance purposes. The hypothesis is that NSA introduced an initial backdoor, which was subsequently discovered and modified by a third party (potentially China's MSS) who added the SSH login backdoor (CVE-2015-7755) to enable their own access
2. Third-party supply chain insertion: An advanced threat actor with supply chain access to Juniper's development or build process inserted both backdoors

Juniper never publicly attributed the backdoor insertion. The FBI and NSA investigated but their conclusions were not made public.

Attack Characteristics

Discovery

Juniper Networks' internal code audit discovered the unauthorized code in December 2015. Juniper published the advisory and patched versions on December 17, 2015. Security researchers subsequently identified the backdoor password through analysis of the firmware binary.

Exploitation Context

• Supply chain security paradigm shift: The Juniper ScreenOS backdoor was a watershed moment for supply chain security awareness — demonstrating that trusted vendors' products could contain backdoors inserted by sophisticated nation-state actors, and that network security appliances were high-value supply chain targets
• Government network exposure: NetScreen devices were widely deployed in U.S. government, defense contractor, and intelligence community networks; the identity of who used the backdoor and what they accessed during the potentially multi-year exposure window is unknown
• Decade-long exploitation window: The unauthorized code may have been present in ScreenOS since 2012 (the earliest affected release), representing a potential 3-year exploitation window before Juniper's 2015 discovery — during which nation-state actors with knowledge of the backdoor password could have accessed any vulnerable NetScreen device
• VPN traffic decryption: CVE-2015-7756's VPN decryption capability combined with CVE-2015-7755's device access represents a comprehensive intelligence-gathering capability against encrypted communications traversing affected NetScreen VPN concentrators
• CISA KEV (2025): Added October 2025 — a decade after disclosure — reflecting either new exploitation evidence or CISA's updated assessment of legacy networking equipment risk

Remediation

1. Upgrade ScreenOS immediately — install ScreenOS 6.2.0r19 or 6.3.0r21 (or later) on all affected NetScreen devices. These releases remove the unauthorized code.

2. Replace end-of-life NetScreen hardware — Juniper ended ScreenOS support; affected NetScreen appliances are end-of-life and cannot receive new security updates. Replace with currently supported Juniper SRX or equivalent modern firewall appliances.

3. Restrict management interface access — ensure SSH and Telnet access to NetScreen management interfaces is restricted to known management IP addresses via firewall ACLs. Management access should never be internet-accessible.

4. Disable Telnet — use SSH only for device management; disable Telnet, which transmits credentials in cleartext and provides no additional protection over the CVE-2015-7755 backdoor.

5. Audit device access logs — review historical SSH/Telnet authentication logs for evidence of unauthorized access using the backdoor password, particularly from unexpected IP addresses.

6. Rotate VPN credentials and certificates — given the companion VPN decryption backdoor (CVE-2015-7756), any VPN traffic that transited affected NetScreen devices should be considered potentially compromised. Rotate VPN certificates, pre-shared keys, and consider the confidentiality of communications that traversed these devices.