CVE-2026-33784
JSI Virtual Lightweight Collector: Default password is not required to be changed which allows unauthorized high-privileged access
In short
Juniper's JSI Virtual Lightweight Collector ships with a default high-privileged account password that doesn't have to be changed during setup, allowing anyone on the network to take complete control of the device.
Technical detail
A Use of Default Password vulnerability (CWE-1393) in JSI vLWC allows unauthenticated network-based attackers to gain full administrative access by exploiting an unchanged default credential for a high-privileged account during initial provisioning. The vulnerability affects all vLWC versions prior to 3.0.94 and requires no authentication or user interaction, presenting a critical remote compromise vector.
Summary generated and translated by AI from the official description.
A Use of Default Password vulnerability in the Juniper Networks
Support Insights (JSI)
Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.
vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/AU:Y/R:U/RE:L
Affected products
Juniper Networks · JSI LWCWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://kb.juniper.net/JSA107871