CVE-2026-33784 PUBLISHED

JSI Virtual Lightweight Collector: Default password is not required to be changed which allows unauthorized high-privileged access

Assigner: juniper
Reserved: 23.03.2026 Published: 09.04.2026 Updated: 09.04.2026

A Use of Default Password vulnerability in the Juniper Networks

Support Insights (JSI)

Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.

vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/AU:Y/R:U/RE:L
CVSS Score: 9.3

Product Status

Vendor Juniper Networks
Product JSI LWC
Versions Default: unaffected
  • affected from 0 to 3.0.94 (excl.)

Exploits

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

Workarounds

The password can be changed in the setup menu of the device, which is described at  Configure Network Settings through JSI Shell | Juniper Support Insights | Juniper Networks https://www.juniper.net/documentation/us/en/software/jsi/vlwc-deploy/topics/topic-map/configure-settings-jsi-shell.html

Solutions

The following software releases have been updated to resolve this specific issue: 3.0.94, and all subsequent releases.

References

Problem Types

  • CWE-1393 Use of Default Password CWE