CVE-2026-33784
published 2026-04-09CVE-2026-33784: A Use of Default Password vulnerability in the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows an unauthenticated…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.46%
36.3th percentile
A Use of Default Password vulnerability in the Juniper Networks
Support Insights (JSI)
Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.
vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| juniper_networks | jsi_lwc | < 3.0.94 | 3.0.94 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect use of default/unchanged credentials on Juniper Networks JSI Virtual Lightweight Collector (vLWC) high-privileged accounts — any successful authentication using the factory-default password on a vLWC instance should be treated as a compromise indicator. ↗
- →Flag unauthenticated or anomalous network-based login attempts targeting Juniper JSI vLWC management interfaces, particularly on versions before 3.0.94. ↗
- →Audit all deployed vLWC instances for version strings below 3.0.94; any such instance should be considered potentially exposed to default-credential takeover. ↗
- ·The default password itself is not disclosed in the source material; defenders should consult Juniper's official advisory or vendor documentation to obtain the specific default credential value for targeted detection (e.g., honeypot/canary login monitoring). ↗
- ·Password change is not enforced at provisioning time, meaning all out-of-the-box deployments running versions before 3.0.94 may retain the default credential unless manually changed by an administrator. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Juniper
CVE-2026-33784: A Use of Default Password vulnerability in the Juniper Networks
Support Insights (JSI)
Virtual Lightweight Collector (vLWC) allows an unauthentica
vendor_juniper·2026-04-09·CVSS 9.8
CVE-2026-33784 [CRITICAL] CWE-1393 CVE-2026-33784: A Use of Default Password vulnerability in the Juniper Networks
Support Insights (JSI)
Virtual Lightweight Collector (vLWC) allows an unauthentica
CVE-2026-33784: A Use of Default Password vulnerability in the Juniper Networks
Support Insights (JSI)
Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.
vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.
GHSA
GHSA-g6hm-r7f2-4j2f: A Use of Default Password vulnerability in the Juniper Networks
Support Insights (JSI)
Virtual Lightweight Collector (vLWC) allows an unauthenticate
ghsa_unreviewed·2026-04-10
CVE-2026-33784 [CRITICAL] CWE-1393 GHSA-g6hm-r7f2-4j2f: A Use of Default Password vulnerability in the Juniper Networks
Support Insights (JSI)
Virtual Lightweight Collector (vLWC) allows an unauthenticate
A Use of Default Password vulnerability in the Juniper Networks
Support Insights (JSI)
Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.
vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.
No detection rules found.
No public exploits indexed.
2026-04-09
Published