CVE-2026-33784
Use of Default Password in Juniper vLWC Allows Full Control
Publication date: 2026-04-09
Last updated on: 2026-04-09
Assigner: Juniper Networks, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| juniper_networks | virtual_lightweight_collector | to 3.0.94 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1393 | The product uses default passwords for potentially critical functionality. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an unauthenticated, network-based attacker to take full control of the affected device due to the use of a default password that is not enforced to be changed. Such unauthorized access can lead to compromise of sensitive data and systems.
As a result, this vulnerability can negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require adequate security controls to protect sensitive data and prevent unauthorized access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the use of a default password on Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) devices before version 3.0.94. Detection typically involves checking whether the default password has been changed on these devices.
Since the vulnerability allows unauthenticated network-based access, one approach is to attempt to connect to the vLWC device using the known default credentials to verify if the password remains unchanged.
Specific commands to detect this vulnerability are not provided in the available information.
Can you explain this vulnerability to me?
This vulnerability is a Use of Default Password issue in the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC). The software ships with an initial password for a highly privileged account, and it does not enforce a password change during provisioning. This allows an unauthenticated attacker on the network to gain full control of the device.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can take full control of the affected device without authentication. This means unauthorized actors can access, modify, or disrupt the system, potentially leading to data breaches, service interruptions, or further network compromise.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately change the default password for the high privileged account on the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) device.
Ensure that the password is strong and unique to prevent unauthorized access.
Additionally, upgrade the vLWC software to version 3.0.94 or later, as all versions before 3.0.94 are affected by this issue.