CVE-2026-33784
Received Received - Intake
Use of Default Password in Juniper vLWC Allows Full Control

Publication date: 2026-04-09

Last updated on: 2026-04-09

Assigner: Juniper Networks, Inc.

Description
A Use of Default Password vulnerability in the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device. vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33784
EUVD
EUVD-2026-21203
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
juniper_networks virtual_lightweight_collector to 3.0.94 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1393 The product uses default passwords for potentially critical functionality.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Use of Default Password issue in the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC). The software ships with an initial password for a highly privileged account, and it does not enforce a password change during provisioning. This allows an unauthenticated attacker on the network to gain full control of the device.

Compliance Impact

This vulnerability allows an unauthenticated, network-based attacker to take full control of the affected device due to the use of a default password that is not enforced to be changed. Such unauthorized access can lead to compromise of sensitive data and systems.

As a result, this vulnerability can negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require adequate security controls to protect sensitive data and prevent unauthorized access.

Impact Analysis

An attacker exploiting this vulnerability can take full control of the affected device without authentication. This means unauthorized actors can access, modify, or disrupt the system, potentially leading to data breaches, service interruptions, or further network compromise.

Detection Guidance

This vulnerability involves the use of a default password on Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) devices before version 3.0.94. Detection typically involves checking whether the default password has been changed on these devices.

Since the vulnerability allows unauthenticated network-based access, one approach is to attempt to connect to the vLWC device using the known default credentials to verify if the password remains unchanged.

Specific commands to detect this vulnerability are not provided in the available information.

Mitigation Strategies

To mitigate this vulnerability, immediately change the default password for the high privileged account on the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) device.

Ensure that the password is strong and unique to prevent unauthorized access.

Additionally, upgrade the vLWC software to version 3.0.94 or later, as all versions before 3.0.94 are affected by this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33784. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart