CVE-2026-33784

CRITICAL

Juniper JSI Virtual Lightweight Collector <3.0.94 - Default Password Full Device Access

Title source: manual
STIX 2.1

Description

A Use of Default Password vulnerability in the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device. vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
https://kb.juniper.net/JSA107871

Scores

CVSS v3 9.8
EPSS 0.0046
EPSS Percentile 36.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-1393
Status published
Products (2)
juniper/virtual_lightweight_collector < 3.0.94
Juniper Networks/JSI LWC < 3.0.94
Published Apr 09, 2026
Tracked Since Apr 10, 2026