CVE-2024-39563

Junos Space: Remote Command Execution (RCE) vulnerability in web application

Description

A Command Injection vulnerability in Juniper Networks Junos Space allows an unauthenticated, network-based attacker sending a specially crafted request to execute arbitrary shell commands on the Junos Space Appliance, leading to remote command execution by the web application, gaining complete control of the device. A specific script in the Junos Space web application allows attacker-controlled input from a GET request without sufficient input sanitization. A specially crafted request can exploit this vulnerability to execute arbitrary shell commands on the Junos Space Appliance. This issue affects Junos Space 24.1R1. Previous versions of Junos Space are unaffected by this vulnerability.

Remediation

Solution:

  • The following software releases have been updated to resolve this specific issue: Junos Space 24.1R1 Patch V1, and all subsequent releases.

Workaround:

  • Use access lists or firewall filters to limit access to the device's web interface only from trusted hosts.

Category

6.9
CVSS
Severity: Medium
CVSS 4.0 •
CVSS 3.1 •
EPSS 0.74% Top 30%
Vendor Advisory juniper.net
Affected: Juniper Networks Junos Space
Published at:
Updated at:

References

Link Tags
https://supportportal.juniper.net/JSA88110 vendor advisory

Frequently Asked Questions

What is the severity of CVE-2024-39563?
CVE-2024-39563 has been scored as a medium severity vulnerability.
How to fix CVE-2024-39563?
To fix CVE-2024-39563: The following software releases have been updated to resolve this specific issue: Junos Space 24.1R1 Patch V1, and all subsequent releases.
Is CVE-2024-39563 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-39563 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-39563?
CVE-2024-39563 affects Juniper Networks Junos Space.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.