CVE-2026-33784

Summary

A Use of Default Password vulnerability in the Juniper Networks

Support Insights (JSI)

Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.

vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJSI LWC0 < 3.0.94affected

Weaknesses

  • CWE-1393: CWE-1393 Use of Default Password

Workarounds

The password can be changed in the setup menu of the device, which is described at  Configure Network Settings through JSI Shell | Juniper Support Insights | Juniper Networks https://www.juniper.net/documentation/us/en/software/jsi/vlwc-deploy/topics/topic-map/configure-settings-jsi-shell.html

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References