Security Vulnerability Report
中文
CVE-2026-21907 CVSS 5.9 MEDIUM

CVE-2026-21907

Published: 2026-01-15 21:16:06
Last Modified: 2026-01-23 20:02:30
Source: [email protected]

Description

A Use of a Broken or Risky Cryptographic Algorithm vulnerability in the TLS/SSL server of Juniper Networks Junos Space allows the use of static key ciphers (ssl-static-key-ciphers), reducing the confidentiality of on-path traffic communicated across the connection. These ciphers also do not support Perfect Forward Secrecy (PFS), affecting the long-term confidentiality of encrypted communications.This issue affects all versions of Junos Space before 24.1R5.

CVSS Details

CVSS Score
5.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:juniper:junos_space:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:juniper:junos_space:24.1:r1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:juniper:junos_space:24.1:r2:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:juniper:junos_space:24.1:r3:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:juniper:junos_space:24.1:r4:*:*:*:*:*:* - VULNERABLE
Juniper Junos Space < 24.1R5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2026-21907 PoC - Juniper Junos Space TLS Weak Cipher Detection Note: This PoC is for educational and authorized testing purposes only. """ import socket import ssl import json from datetime import datetime def check_weak_ciphers(target_host, target_port=443): """ Check if target supports weak/static key ciphers """ weak_ciphers = [ 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_RSA_WITH_RC4_128_SHA', 'TLS_RSA_WITH_RC4_128_MD5' ] results = { 'target': target_host, 'port': target_port, 'timestamp': datetime.now().isoformat(), 'weak_ciphers_detected': [], 'pfs_support': False, 'vulnerable': False } try: # Create SSL context context = ssl.create_default_context() context.check_hostname = False context.verify_mode = ssl.CERT_NONE # Connect to target with socket.create_connection((target_host, target_port), timeout=10) as sock: with context.wrap_socket(sock, server_hostname=target_host) as ssock: cipher_info = ssock.cipher() results['current_cipher'] = cipher_info[0] if cipher_info else None # Check if current cipher is a weak static key cipher if cipher_info and any(wc in cipher_info[0] for wc in weak_ciphers): results['weak_ciphers_detected'].append(cipher_info[0]) results['vulnerable'] = True # Check for PFS support (ECDHE, DHE ciphers) pfs_ciphers = ['ECDHE', 'DHE', 'CHACHA20'] results['pfs_support'] = any(pfs in cipher_info[0] for pfs in pfs_ciphers) except Exception as e: results['error'] = str(e) return results def test_juniper_junos_space(): """ Test Juniper Junos Space for CVE-2026-21907 """ # Example targets - replace with authorized targets test_targets = [ 'junos-space.example.com' ] for target in test_targets: print(f"[*] Testing {target}...") result = check_weak_ciphers(target) print(json.dumps(result, indent=2)) if result['vulnerable']: print(f"[!] VULNERABLE: {target} supports weak static key ciphers") print(f"[!] Missing PFS support: {not result['pfs_support']}") if __name__ == '__main__': print("CVE-2026-21907 PoC - Juniper Junos Space TLS Weak Cipher Detection") print("=" * 70) test_juniper_junos_space()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-21907", "sourceIdentifier": "[email protected]", "published": "2026-01-15T21:16:06.357", "lastModified": "2026-01-23T20:02:29.660", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Use of a Broken or Risky Cryptographic Algorithm vulnerability in the TLS/SSL server of Juniper Networks Junos Space allows the use of static key ciphers (ssl-static-key-ciphers), reducing the confidentiality of on-path traffic communicated across the connection. These ciphers also do not support Perfect Forward Secrecy (PFS), affecting the long-term confidentiality of encrypted communications.This issue affects all versions of Junos Space before 24.1R5."}, {"lang": "es", "value": "Una vulnerabilidad de Uso de un algoritmo criptográfico roto o arriesgado en el servidor TLS/SSL de Juniper Networks Junos Space permite el uso de cifrados de clave estática (ssl-static-key-ciphers), reduciendo la confidencialidad del tráfico en ruta comunicado a través de la conexión. Estos cifrados tampoco soportan Perfect Forward Secrecy (PFS), afectando la confidencialidad a largo plazo de las comunicaciones cifradas. Este problema afecta a todas las versiones de Junos Space anteriores a 24.1R5."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:Green", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "GREEN"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-327"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:*:*:*:*:*:*:*:*", "versionEndExcluding": "24.1", "matchCriteriaId": "2EC090A9-634B-4AA2-916F-7548AF71FF76"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r1:*:*:*:*:*:*", "matchCriteriaId": "0566970C-0E9B-4566-9920-C7C436A4243D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r2:*:*:*:*:*:*", "matchCriteriaId": "A2AA399D-5A7D-45B8-B774-D69054DFA4D3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r3:*:*:*:*:*:*", "matchCriteriaId": "57CC4E1A-23AA-4B4A-8690-5EEDCBEC4BBE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:juniper:junos_space:24.1:r4:*:*:*:*:*:*", "matchCriteriaId": "3F39EC68-9DBB-4A30-BB44-1A26020079CB"}]}]}], "references": [{"url": "https://kb.juniper.net/JSA106006", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://supportportal.juniper.net/JSA106006", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.