Nearly 12,000 Juniper SRX firewalls and EX switches are vulnerable attacks exploiting a recently disclosed flaw that allows a remote attacker to achieve remote code execution without creating a file on the system.

The bug, tracked as CVE-2023-36845, is an input validation issue in the J-Web component of Junos OS that can be used to modify values of certain PHP environment variables and modify application's behavior. The vendor fixed the flaw in August of this year along with a slew of other vulnerabilities (CVE-2023-36844, CVE-2023-36846, CVE-2023-36847, and CVE-2023-36851).

According to researchers at watchTowr, when chained together, these bugs could allow remote code execution. A proof-of-concept (PoC) exploit created by watchTowr combined CVE-2023-36846 and CVE-2023-36845 to upload a PHP file containing malicious shellcode and achieve code execution.

Now, experts at VulnCheck devised another PoC code that relies on CVE-2023-36845 to achieve fileless unauthenticated and remote code execution and establish a reverse shell.

“Firewalls are interesting targets to APT as they help bridge into the protected network and can serve as useful hosts for C2 infrastructure. Anyone who has an unpatched Juniper firewall should examine it for signs of compromise,” the researchers wrote, adding that they have seen evidence of exploitation in the wild, “and given how slow patching is going, we suspect this will be a useful exploit for attackers for quite some time.”