Platform
juniper
Component
juniper-junos-os-evolved
Fixed in
22.4R3-S9-EVO
23.2R2-S6-EVO
23.4R2-S7-EVO
24.2R2-S4-EVO
24.4R2-S2-EVO
25.2R1-S2-EVO, 25.2R2-EVO
CVE-2026-33783 describes a Denial of Service (DoS) vulnerability found in the sensor interface of Juniper Networks Junos OS Evolved on PTX Series devices. An attacker with low privileges, accessing the system over the network, can trigger a complete service disruption by exploiting this flaw, specifically when using colored SRTE policy tunnels provisioned via PCEP and monitoring traffic via gRPC. Affected versions include 0.0.0–25.2R1-S2-EVO and 25.2R2-EVO; patches are available for these versions.
CVE-2026-33783 in Junos OS Evolved affects PTX series devices and can lead to a complete Denial of Service (DoS). An authenticated, network-based attacker with low privileges can exploit this vulnerability. Specifically, the failure occurs when colored SRTE policy tunnels are provisioned via PCEP and gRPC is used to monitor traffic in these tunnels. This causes evo-aftmand to crash and not restart, resulting in a persistent service impact. Recovery requires a manual system reboot, which can significantly impact network availability.
This vulnerability is exploited through a function call with an incorrect argument type in the sensor interface. An authenticated attacker with low privileges can send malicious data via PCEP and gRPC, triggering the evo-aftmand failure. Authentication is required, limiting the exploitation scope to users or systems that already have network access. The impact is significant due to the complete and persistent denial of service, requiring manual intervention for recovery. The configuration of colored SRTE tunnels with gRPC monitoring increases the exploitation risk.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
Juniper Networks recommends upgrading to Junos OS Evolved version 25.2R1-S2-EVO or 25.2R2-EVO to mitigate this vulnerability. These versions include the necessary fixes to prevent evo-aftmand crashes. In the interim, avoid using colored SRTE policy tunnels provisioned via PCEP if gRPC is used for monitoring. Regularly monitor Juniper security advisories and apply security updates as they become available. Timely patching is crucial for maintaining network security and stability.
Actualice Junos OS Evolved en los dispositivos PTX Series a la versión 22.4R3-S9-EVO o posterior, 23.2R2-S6-EVO o posterior, 23.4R2-S7-EVO o posterior, 24.2R2-S4-EVO o posterior, 24.4R2-S2-EVO o posterior, o 25.2R1-S2-EVO o 25.2R2-EVO para mitigar la vulnerabilidad. Verifique la documentación de Juniper Networks para obtener instrucciones detalladas de actualización.
Vulnerability analysis and critical alerts directly to your inbox.
evo-aftmand is a crucial process in Junos OS Evolved responsible for managing and monitoring traffic tunnels. Its crash disrupts network operations.
It refers to a traffic segmentation technique that uses colors to differentiate traffic flows within SRTE (Segment Routing Traffic Engineering) tunnels.
PCEP (Path Computation Element Protocol) is used to calculate traffic routes. gRPC is a high-performance communication framework used for traffic monitoring.
Avoid using colored SRTE policy tunnels with gRPC monitoring until you can upgrade. Closely monitor your network for any suspicious activity.
No, there is currently no Juniper Early Warning (KEV) published for this vulnerability. However, it is recommended to stay updated with Juniper security advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.