Skip to main content

Virtual Lightweight Collector CVE-2026-33784

| EUVDEUVD-2026-21203 CRITICAL
Use of Default Password (CWE-1393)
2026-04-09 sirt@juniper.net GHSA-g6hm-r7f2-4j2f
9.3
CVSS 4.0 · Vendor: juniper
Share

Severity by source

Vendor (juniper) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:X

Primary rating from Vendor (juniper) · only source for this CVE.

CVSS VectorVendor: juniper

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:44 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.0.94
EUVD ID Assigned
Apr 09, 2026 - 22:22 euvd
EUVD-2026-21203
Analysis Generated
Apr 09, 2026 - 22:22 vuln.today
CVE Published
Apr 09, 2026 - 22:16 nvd
CRITICAL 9.3

DescriptionCVE.org

A Use of Default Password vulnerability in the Juniper Networks

Support Insights (JSI)

Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.

vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.

AnalysisAI

Full device takeover in Juniper Networks Support Insights Virtual Lightweight Collector (vLWC) before 3.0.94 via hardcoded default credentials. The vLWC software ships with an unchangeable initial password for a high-privileged account with no enforced password change during provisioning, enabling unauthenticated remote attackers to gain complete system control. CVSS v4.0 score 9.3 (Critical). No public exploit identified at time of analysis.

Technical ContextAI

CWE-1393 use-of-default-credentials vulnerability. The vLWC provisioning workflow fails to mandate credential rotation for factory-set high-privilege accounts, leaving production deployments accessible via predictable authentication material embedded in the software image. Root cause is insufficient credential lifecycle enforcement in initial setup procedures.

RemediationAI

Vendor-released patch: Upgrade all vLWC deployments to version 3.0.94 or later immediately. For installations currently running affected versions, perform emergency password rotation for all high-privileged accounts before upgrade to prevent unauthorized access during migration window. Post-upgrade, validate that default credentials have been changed and implement monitoring for authentication attempts using legacy credential patterns. Disable remote management interfaces on affected systems until patching completes. Organizations unable to patch immediately must isolate vLWC instances behind strict network access controls restricting connectivity to trusted management networks only. Full vendor security advisory with upgrade instructions: https://kb.juniper.net/JSA107871

Share

CVE-2026-33784 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy