Listen to this Post
How CVE-2026-33794 Works
CVE-2026-33794 is a vulnerability in Juniper Networks Junos OS Evolved, specifically within the advanced forwarding toolkit component known as `evo-aftmand` on PTX Series devices. The core issue is an “Improper Check for Unusual or Exceptional Conditions”, which manifests during the processing of routing updates that create or modify unified list (unilist) ECMP routes.
In normal operation, unilist ECMP is a mechanism where multiple equal-cost paths to a destination are consolidated into a single logical next-hop list entry. This allows the router to treat a set of routes as one and efficiently load-balance traffic across all available paths. However, when an unauthenticated, network-based attacker continuously generates routing updates that trigger the creation of these unilist ECMP routes, a specific sequence of events—outside the attacker’s direct control—can lead to an internal state corruption within the `evo-aftmand` process.
This state corruption is particularly pronounced in large-scale deployments with extensive ECMP unilist configurations. The `evo-aftmand` process, which is critical for packet forwarding on the Packet Forwarding Engine (PFE), fails to properly handle the exceptional conditions caused by these updates. Consequently, the process crashes, generating an `evo-aftmand-bx` core dump. This crash results in a Denial-of-Service (DoS) condition, as the PFE can no longer forward traffic. Recovery from this state is not automatic; it requires manual intervention, such as rebooting the entire system or restarting the Flexible PIC Concentrator (FPC). The vulnerability affects Junos OS Evolved versions from 24.4R2-EVO before 24.4R2-S3-EVO, and from 25.2 before 25.2R2-EVO.
DailyCVE Form
Platform: ……. Junos OS Evolved
Version: …….. 24.4R2-EVO to <24.4R2-S3-EVO, 25.2 to <25.2R2-EVO
Vulnerability :.. Improper Check for Unusual/Exceptional Conditions (CWE-371)
Severity: ……. 5.9 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
date: ………. 09 July 2026
Prediction: ….. 24.4R2-S3-EVO & 25.2R2-EVO (Already Patched)
What Undercode Say: Analytics
Analysis of this vulnerability reveals a critical Denial-of-Service (DoS) risk for network operators. The following commands and logic are relevant for understanding and identifying the issue:
– Identifying Affected Version:
show version | match "Junos.Evolved"
This command helps determine if the device is running a vulnerable release (e.g., 24.4R2-EVO or 25.2).
– Checking for Crash Logs:
show log messages | match "evo-aftmand"
This can reveal if the `evo-aftmand` process has been crashing, often indicated by `evo-aftmand-bx` core entries.
– Monitoring ECMP State:
show route protocol bgp extensive | match "unilist"
This helps in identifying the presence and scale of unilist ECMP routes, which are central to the exploit.
How Exploit:
An attacker can exploit this vulnerability remotely and without authentication. The exploit involves generating a continuous stream of routing updates that force the creation of unilist ECMP routes. While the specific sequence of events required for the crash is not directly controllable by the attacker, the continuous generation of these updates increases the probability of triggering the internal state corruption. The exploit is considered easy to initiate, and the attack complexity is rated as High due to the reliance on this specific sequence. The primary impact is on availability, as the `evo-aftmand` process crash leads to a complete Denial-of-Service for the PFE.
Protection:
Protection against CVE-2026-33794 requires upgrading to a patched version of Junos OS Evolved. The fixed versions are:
– 24.4R2-S3-EVO or later for the 24.4 release train.
– 25.2R2-EVO or later for the 25.2 release train.
As a workaround, network administrators can consider reducing the scale of ECMP unilist deployments or implementing stricter routing update rate-limiting, though these are not complete mitigations. The official advisory is available on the Juniper Support Portal.
Impact:
The successful exploitation of this vulnerability results in a Denial-of-Service (DoS) condition. The `evo-aftmand` process on the PFE crashes, halting packet forwarding for the affected line card. This can lead to significant network disruption and downtime. Recovery requires manual intervention, such as a system reboot or restarting the FPC, which adds to the operational impact. The CVSS base score is 5.9 (Medium), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

