CRITICALZero Day
Verified
Global

UNC3886 Deploys Firmware Rootkit on Juniper MX Routers via Zero-Day

·Source: Mandiant

Updated:

Executive Summary

UNC3886 exploits Juniper Junos zero-day to deploy firmware-level rootkits on MX-series routers. Implant survives software upgrades and factory resets.

Analysis

Mandiant identified UNC3886 exploiting CVE-2026-29001 in Juniper Junos OS to install firmware-level rootkits on MX-series routers used by ISPs and large enterprises. The implant, dubbed TinyShell.Router, intercepts and exfiltrates network traffic while maintaining persistence across software upgrades. Discovery came during an IR engagement at a European telecom.

Timeline

Discovered
Mar 20, 2026
Exploitation Detected
Mar 20, 2026
Published
Mar 31, 2026

Indicators of Compromise (1)

CVE (1)
CVE-2026-29001
NVDMITRE CVE
Source Attribution

Originally published by Mandiant on Mar 31, 2026. Verified by: Mandiant, CISA, Juniper.

Related Threats

CRITICALZero Day

Microsoft Exchange Zero-Day Under Attack, No Patch Available

CVE-2026-42897 stems from a cross-site scripting (XSS) vulnerability and can allow an attacker to compromise Outlook Web Access (OWA) mailboxes.

CVE-2026-42897
Dark Reading
MEDIUMZero Day

⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More

Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted. The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production

The Hacker News
CRITICALZero Day

‘Patched’ Windows bug resurfaces 6 years later as working SYSTEM-level exploit

An old elevation-of-privilege (EoV) vulnerability affecting the Cloud Filter driver “cldflt.sys” in Windows has come back to haunt Microsoft, as researchers claim it is still exploitable six years after it was supposedly patched. The flaw, originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020, was recently picked up by Nightmare Eclipse , a researcher o

CVE-2020-17103CVE-2026-33825
CSO Online