What is Juniper Junos OS J-Web?
Juniper Networks Junos OS is the operating system running on Juniper's EX Series switches and SRX Series firewalls — enterprise and service provider network infrastructure used in datacenters, campuses, and ISP edge networks. J-Web is Junos OS's web-based management interface, providing a browser-based graphical configuration tool accessible via HTTP/HTTPS on the management port. Juniper EX switches and SRX firewalls are widely deployed in enterprise and government environments, and their compromise provides an attacker with network-level control — the ability to modify routing, firewall policies, VPN configurations, and network traffic handling.
Overview
CVE-2023-36845 is one of four related J-Web vulnerabilities (CVE-2023-36844 through 36847) that Juniper patched in an out-of-cycle advisory in August 2023. Individually, each vulnerability has a moderate severity, but CVE-2023-36844 and CVE-2023-36845 can be chained to achieve unauthenticated pre-authentication remote code execution on Juniper EX and SRX devices. The critical insight discovered by watchTowr Labs is that CVE-2023-36844 allows setting the PHPRC environment variable, and CVE-2023-36845 allows uploading a PHP configuration file — together enabling attacker-controlled PHP code execution through J-Web.
Affected Versions
| Product | Fixed Version |
|---|---|
| Junos OS on EX Series | 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S2, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1 (or later) |
| Junos OS on SRX Series | Same versions as above |
Technical Details
CWE-473 (PHP External Variable Modification). PHP supports a configuration mechanism where the PHPRC environment variable overrides the location of the php.ini configuration file. If an attacker can control the PHPRC variable and also upload a file to a predictable location, they can point PHP to a malicious php.ini that enables dangerous settings (such as auto_prepend_file, which causes PHP to execute an attacker-controlled file before every request).
The exploitation chain combining CVE-2023-36844 and CVE-2023-36845:
- CVE-2023-36844: Inject a PHP environment variable (
PHPRC) via J-Web's unauthenticated parameter handling, pointing to an attacker-controlled php.ini location - CVE-2023-36845: Upload a malicious PHP configuration file to a reachable path using J-Web's unauthenticated file upload mechanism
- The combined effect: PHP loads the attacker's php.ini, which triggers execution of attacker-controlled PHP code on J-Web requests
The CISA KEV entry for CVE-2023-36845 reflects the combined exploitation; CVE-2023-36844 (the companion) was also added to KEV separately.
Discovery
The combined pre-auth RCE chain was discovered and publicly demonstrated by watchTowr Labs (Sonny MacDonald) on August 25, 2023 — eight days after the Juniper advisory. The watchTowr PoC significantly accelerated exploitation by providing a clear attack path.
Exploitation Context
Juniper EX switches and SRX firewalls are prime targets for nation-state actors and sophisticated criminal groups due to their privileged network position. Network infrastructure vulnerabilities in Juniper equipment have previously been exploited by threat actors including NSA-affiliated operators (documented in the Shadow Brokers leaks) and China-nexus APTs. The 4-day CISA KEV deadline (November 13 to November 17) indicates urgent active exploitation at the time of addition.
Remediation
- Apply the Juniper out-of-cycle patches immediately — update to the fixed Junos OS versions per the August 2023 advisory.
- If patching cannot be done immediately, disable J-Web as a temporary mitigation:
delete system services web-management— use SSH CLI access instead. - Restrict J-Web access to trusted management networks via firewall filter on the management interface — J-Web should never be internet-accessible.
- Also apply patches for the companion vulnerabilities CVE-2023-36844, CVE-2023-36846, and CVE-2023-36847 which are covered in the same advisory.
- Review J-Web access logs for unusual GET/POST requests indicating exploitation attempts, particularly requests with unexpected parameter values or file upload activities.
- Verify device configuration integrity after patching — compare running configuration against known-good baseline to detect unauthorized changes.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-36845 |
| Vendor / Product | Juniper — Junos OS |
| NVD Published | 2023-08-17 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-473 find similar ↗ |
| CISA KEV Added | 2023-11-13 |
| CISA KEV Deadline | 2023-11-17 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-08-17 | Juniper releases out-of-cycle advisory covering CVE-2023-36844, 36845, 36846, and 36847 — combined pre-auth RCE chain in J-Web |
| 2023-08-25 | watchTowr Labs publishes PoC demonstrating the pre-auth RCE chain |
| 2023-11-13 | CISA adds CVE-2023-36845 to Known Exploited Vulnerabilities catalog — very short 4-day deadline |
| 2023-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Juniper Out-of-Cycle Security Bulletin — CVE-2023-36844/36845/36846/36847 | Vendor Advisory |
| NVD — CVE-2023-36845 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |