Critical Flaws Hit Industrial & Network Gear
A wave of critical security flaws is hitting widely used embedded systems. Juniper issued an emergency patch for a remote code execution bug in its PTX routers, while Johnson Controls' industrial hardware has a high-severity code injection issue, and a CISA warning highlights a CVSS 10.0 vulnerability in an industrial gateway.
The Juniper PTX router flaw, CVE-2026-21902, is rooted in an incorrect permission assignment for the 'On-Box Anomaly Detection' framework. This service, enabled by default with root privileges, was inadvertently exposed to external networks, allowing an unauthenticated attacker to gain complete control of the device. Juniper released an out-of-band patch to address the vulnerability, which was discovered through internal security testing. The Johnson Controls vulnerability, CVE-2026-21657, affects Frick Controls Quantum HD devices, which are common in industrial and commercial facilities for managing environmental controls. This high-severity code injection flaw stems from insufficient input validation, allowing a remote, unauthenticated attacker to execute arbitrary code and potentially take full control of the system. The vulnerability impacts device versions 10.22 and earlier and can be exploited without any user interaction. The CVSS 10.0 vulnerability highlighted by CISA affects the General Industrial Controls Lynx+ Gateway. This critical flaw, CVE-2025-58083, is a "Missing Authentication for Critical Function" in the embedded web server, which could permit an attacker to remotely reset the device. This is compounded by other identified issues, including weak password requirements (CVE-2025-55034) and the transmission of sensitive information in cleartext (CVE-2025-62765). These vulnerabilities underscore a recurring theme in embedded systems security: the risk posed by services that are improperly exposed to external networks or that lack robust authentication mechanisms. The Juniper flaw highlights how default configurations can introduce significant risk, while the Johnson Controls and Lynx+ Gateway issues demonstrate the critical need for thorough input validation and secure authentication in industrial control systems. The potential for these flaws to be exploited remotely without user interaction makes them particularly dangerous, as they could be leveraged to disrupt critical infrastructure.
