Sometimes, a simple error message can open the door for much bigger problems. This is exactly what happened with CVE-2022-22162, a vulnerability in Juniper Networks’ Junos OS. This post will explain the vulnerability in everyday language, show you how it works, and give you enough technical details to really understand how it was exploited.
What Is CVE-2022-22162?
In simple terms:
Juniper Junos OS, which powers many business routers and firewalls, had a bug where users with barely any privileges could access error messages that contained sensitive information. The bug allowed these users to "jump up" to the level of any other user currently logged in through the J-Web interface (Juniper’s web admin portal). That means if an administrator was signed in at the same time, the attacker could become an admin, fully taking over the device.
Here’s what makes it so dangerous
- Attackers only need *local* (not remote) access – they can be low-privileged users logged in on the CLI shell.
- If any higher-privilege user is logged in to the J-Web interface, the attacker can “upgrade” themselves to that level.
21.2 before 21.2R1-S1 and 21.2R2
For the full list and critical advisories, check the Juniper Security Advisory and NVD Entry.
The Core Issue
When certain errors happened in the CLI (Command Line Interface), sensitive session information (sometimes even session tokens or user context details) would show up in the error message. If a low-privileged user saw—or managed to intentionally trigger—one of these errors while a more privileged user was logged in (like an admin using J-Web), the attacker could capture secret tokens or session details and use them to “impersonate” that higher-level user.
An admin is logged in at the same time through the J-Web interface.
3. Attacker runs a special command or triggers an error that “spills” session information into the error message.
This is usually by mistyping or intentionally triggering a misconfiguration.
4. The CLI prints out the error message, which may expose session tokens or internal details from the J-Web admin user’s session.
Attacker extracts the session token or relevant info from the error.
6. Attacker uses that info to perform API calls or impersonate the admin via the J-Web, gaining full admin control.
Let’s look at a *hypothetical* code snippet showing how error messages might leak info
# run as a low-privilege user
user@junos> show configuration secret-area
error: access denied to area; session_token="ABC123DEF", user="superadmin"
Now, imagine the attacker copies that session_token="ABC123DEF".
They can now use that token to craft an HTTP request to the J-Web (API), bypassing normal password checks!
import requests
jweb_url = "https://junos-device.local/api/";
headers = {
"Cookie": "JSESSIONID=ABC123DEF"
}
# Try to access admin API endpoint
response = requests.get(jweb_url + "admin/controls", headers=headers, verify=False)
print(response.text)
Why Is This So Bad?
- Attackers don’t have to break passwords or find backdoors—just watch for a simple error message.
If an admin is ever logged in—even for a short time—the attacker can jump up to their level.
- This could result in device configuration changes, traffic redirection, full data compromise, or persistent malware install.
`
2. Check Juniper's official advisory for the minimum safe version.
Update to an unaffected release.
4. As a temporary workaround, minimize access for low-privileged users and avoid simultaneous logins of admins and regular users.
Final Thoughts
CVE-2022-22162 is a great example of how something small, like an error message, can turn into a huge security risk, especially in critical network devices. If your organization uses Juniper devices, double check your versions and update as soon as possible.
References
- National Vulnerability Database - CVE-2022-22162
- Juniper Security Advisory
- Exploit Database Entry (if/when available)
Timeline
Published on: 01/19/2022 01:15:00 UTC
Last modified on: 01/26/2022 17:51:00 UTC