CVE-2023-36847
CISA KEVPublished November 13, 2023 · Updated April 3, 2026
high
Official Description+
Juniper Junos OS on EX Series contains a missing authentication for critical function vulnerability that allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to installAppPackage.php that doesn't require authentication, an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities.
Affected Products
| Vendor | Product |
|---|---|
| Juniper | Junos OS |
Patch Status
Patch by 2023-11-17
Recommended Actions
- Check if your systems use any of the affected products listed above.
- Apply vendor patches immediately if available.
- This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
- Monitor vendor advisories for updates and additional mitigations.
- Review logs for indicators of compromise related to CVE-2023-36847.