CVE-2023-36846

What is Juniper Junos OS J-Web?

Juniper Junos OS is the operating system running Juniper's EX Series switches and SRX Series firewalls. J-Web is the PHP-based web management interface providing browser-accessible device administration. The J-Web interface exposes multiple PHP handler endpoints for various management functions — including user account management (user.php) and package installation (installAppPackage.php). Missing authentication for these file-handling endpoints allows unauthenticated attackers to upload arbitrary files to the device filesystem, which when combined with PHP environment variable modification (CVE-2023-36844) achieves unauthenticated remote code execution.

Overview

CVE-2023-36846 is a missing authentication for a critical function vulnerability (CWE-306) in the Juniper Junos OS J-Web interface on SRX Series firewalls. A specific HTTP request to user.php — a file upload endpoint — does not require authentication, allowing an unauthenticated remote attacker to upload arbitrary files to a portion of the J-Web filesystem. Although the standalone integrity impact is limited (partial filesystem write), CVE-2023-36846 is one stage of a pre-auth RCE exploit chain when combined with CVE-2023-36844 (PHP env var modification).

All five J-Web vulnerabilities were disclosed in Juniper's August 17, 2023 out-of-cycle security bulletin and added to CISA's KEV catalog together on November 13, 2023.

Affected Versions

Technical Details

Missing authentication for a critical function (CWE-306) occurs when a critical operation — in this case, file upload — can be performed without first authenticating to the application. The user.php endpoint in J-Web accepts file upload requests without verifying that the requester is an authenticated administrator.

The combined exploitation chain:

1. Upload malicious PHP file (CVE-2023-36846) — send a crafted unauthenticated POST request to user.php with a PHP webshell as the uploaded file; the file is written to a filesystem path accessible to J-Web
2. Modify PHP environment (CVE-2023-36844) — use the companion PHP env var modification CVE to influence how J-Web processes subsequent requests, such as enabling the uploaded PHP file to be included or auto-loaded
3. Execute the uploaded payload — the PHP webshell executes in the J-Web web server context, providing command execution on the Junos device

The I:L (low integrity) individual CVSS score reflects partial filesystem write impact in isolation; the C:H/I:H/A:H impact of the complete chain is assessed at CVSS 9.8 Critical in Juniper's combined advisory.

Discovery

Juniper's August 2023 out-of-cycle bulletin covered all five companion J-Web CVEs. Active exploitation was confirmed by CISA's November 2023 KEV addition.

Exploitation Context

SRX Series firewalls are deployed at network perimeters in enterprise environments — making RCE on an SRX device equivalent to firewall compromise. An attacker with code execution on the SRX can:

• Inspect or modify firewall policies and ACLs
• Intercept or redirect network traffic
• Use the SRX's network position for lateral movement to internal systems
• Establish persistent access via configuration changes that survive reboots

The KEV addition covers all four companion CVEs (36844, 36846, 36847, 36851) simultaneously — reflecting that the chain as a whole was observed being exploited in the wild.

Remediation

1. Apply the Juniper August 2023 out-of-cycle patch — upgrade to the fixed Junos OS versions in the table above; the patch addresses all five companion J-Web CVEs.
2. Disable J-Web if not required — SRX Series devices can be managed entirely via SSH CLI; disable J-Web to eliminate the attack surface.
3. Restrict J-Web network access — if J-Web must remain enabled, use firewall filters to restrict J-Web access to dedicated management subnets; J-Web must never be internet-accessible.
4. Audit for indicators of compromise — review J-Web logs for unauthenticated POST requests to user.php that may indicate prior exploitation attempts.