CVE-2026-33779
Essential information
- Published
- 09/04/2026 22:16
- Modified
- 09/04/2026 22:16
- Author
- —
- Creator
- —
- CVSS
- 8.3 HIGH (v3) 8.3 HIGH (v4.0)
- CISA KEV
- No
- CWE
- —
- CVSS vector
-
—
—
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:X
CVSS metrics
- Access vector
- —
- Access complexity
- —
- Authentication
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploitability
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- —
- Attack complexity
- —
- Privileges required
- —
- User interaction
- —
- Scope
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploit code maturity
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- NETWORK
- Attack complexity
- HIGH
- Attack requirements
- NONE
- Privileges required
- NONE
- User interaction
- NONE
- Confidentiality (V)
- HIGH
- Confidentiality (S)
- NONE
- Integrity (V)
- LOW
- Integrity (S)
- NONE
- Availability (V)
- NONE
- Availability (S)
- NONE
- Exploit maturity
- NOT_DEFINED
Description
An Improper Following of a Certificate's Chain of Trust vulnerability in J-Web of Juniper Networks Junos OS on SRX Series allows a PITM to intercept the communication of the device and get access to confidential information and potentially modify it.
When an SRX device is provisioned to connect to Security Director (SD) cloud, it doesn't perform sufficient verification of the received server certificate. This allows a PITM to intercept the communication between the SRX and SD cloud and access credentials and other sensitive information.
This issue affects Junos OS:
* all versions before 22.4R3-S9,
* 23.2 versions before 23.2R2-S6,
* 23.4 versions before 23.4R2-S7,
* 24.2 versions before 24.2R2-S3,
* 24.4 versions before 24.4R2-S2,
* 25.2 versions before 25.2R1-S2, 25.2R2.
NVD status
- Status
- Received — CVE has been recently published to the CVE List and has been received by the NVD.
- Source
- [email protected]
- NVD
- View on NVD
Affected products (CPE)
| Product | CPE |
|---|---|
| juniper / juniper networks junos os | cpe:2.3:a:juniper:juniper_networks_junos_os:<22.4R3-S9:*:*:*:*:*:*:* |
| juniper / juniper networks junos os | cpe:2.3:a:juniper:juniper_networks_junos_os:<23.2R2-S6:*:*:*:*:*:*:* |
| juniper / juniper networks junos os | cpe:2.3:a:juniper:juniper_networks_junos_os:<23.4R2-S7:*:*:*:*:*:*:* |
| juniper / juniper networks junos os | cpe:2.3:a:juniper:juniper_networks_junos_os:<24.2R2-S3:*:*:*:*:*:*:* |
| juniper / juniper networks junos os | cpe:2.3:a:juniper:juniper_networks_junos_os:<24.4R2-S2:*:*:*:*:*:*:* |
| juniper / juniper networks junos os | cpe:2.3:a:juniper:juniper_networks_junos_os:<25.2R1-S2:*:*:*:*:*:*:* |
| juniper / juniper networks junos os | cpe:2.3:a:juniper:juniper_networks_junos_os:<25.2R2:*:*:*:*:*:*:* |