CVE-2023-36851

What is Juniper Junos OS J-Web?

J-Web is the PHP-based web management interface for Juniper Junos OS devices, providing browser-accessible administration of SRX Series firewalls and EX Series switches. The webauth_operation.php endpoint handles web authentication operations in J-Web. Missing authentication on this endpoint allows unauthenticated attackers to upload arbitrary files — the file-upload stage of the August 2023 Juniper J-Web pre-auth RCE chain, alongside CVE-2023-36846 (SRX user.php) and CVE-2023-36847 (EX installAppPackage.php).

Overview

CVE-2023-36851 is a missing authentication for a critical function vulnerability (CWE-306) in the Juniper Junos OS J-Web interface on SRX Series firewalls. A crafted HTTP request to webauth_operation.php — which does not require authentication — allows an unauthenticated remote attacker to upload arbitrary files to a filesystem path accessible by J-Web. When chained with CVE-2023-36844 (PHP external variable modification), this provides unauthenticated remote code execution with a combined CVSS of 9.8 Critical.

The datePublished for CVE-2023-36851 (September 27, 2023) is notably later than Juniper's August 17 bulletin — the CVE was assigned and formally published six weeks after the patch was available. CISA added all four J-Web chain CVEs to the KEV catalog simultaneously on November 13, 2023.

Affected Versions

Technical Details

The webauth_operation.php endpoint handles web authentication workflow actions in J-Web. Missing the authentication guard (CWE-306) on this endpoint means a crafted unauthenticated POST request can trigger file write operations:

1. Upload arbitrary file (CVE-2023-36851) — send a crafted unauthenticated request to webauth_operation.php with a PHP webshell as the uploaded file; the file is written to a J-Web-accessible path on the SRX filesystem
2. Modify PHP environment (CVE-2023-36844) — exploit the companion CVE to manipulate PHP env vars to include or execute the uploaded file
3. Remote code execution — the PHP webshell executes under the J-Web web server process, enabling OS-level commands on the Junos platform

CVE-2023-36851 provides an alternative file upload path to CVE-2023-36846 (user.php) on SRX devices — giving attackers multiple unauthenticated file-write endpoints to leverage in the chain.

Exploitation Context

The four KEV-listed Juniper J-Web CVEs (CVE-2023-36844, CVE-2023-36846, CVE-2023-36847, CVE-2023-36851) represent one of the most significant network infrastructure vulnerability chains of 2023. SRX Series firewalls in particular are deployed as enterprise network perimeter security devices — compromise provides full visibility into traffic inspected by the firewall and the ability to modify security policies silently. Threat actors including Chinese-nexus groups were observed targeting Juniper network devices in 2023.

Remediation

1. Apply the Juniper August 2023 out-of-cycle patch — update to fixed Junos OS versions; all five companion CVEs are addressed in the same Juniper security update.
2. Disable J-Web — the most effective mitigation is to disable J-Web entirely; SRX firewalls should be managed via SSH CLI and NetConf rather than the web interface.
3. Restrict J-Web to management networks — if J-Web cannot be disabled, apply firewall filters to allow J-Web access only from dedicated management IP ranges; the interface must not be internet-accessible.
4. Check for webshells — inspect the J-Web directory structure for unexpected PHP files that may have been uploaded via CVE-2023-36851 or companion CVEs during the exposure window.