Nearly 12,000 internet-facing Juniper firewall devices were discovered by VulnCheck to be impacted by a new medium-severity remote code execution vulnerability, which could be exploited to facilitate the execution of arbitrary code without the need to create a file, The Hacker News reports.
Such a flaw, tracked as CVE-2023-36845, stems from the Junos OS's J-Web component and has already been addressed by Juniper in an out-of-cycle update last month. Attackers looking to exploit the vulnerability modify the PHPRC environment variable and eventually facilitate sensitive data exposure. PHP's auto_prepend_file and allow_url_include options are then used by threat actors along with the data://protocol wrapper to enable arbitrary code execution.
"Firewalls are interesting targets to APT as they help bridge into the protected network and can serve as useful hosts for C2 infrastructure. Anyone who has an unpatched Juniper firewall should examine it for signs of compromise," said VulnCheck researcher Jacob Baines.