Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:X
Primary rating from Vendor (juniper) · only source for this CVE.
CVSS VectorVendor: juniper
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:X
Lifecycle Timeline
6DescriptionCVE.org
A Use of Default Password vulnerability in the Juniper Networks
Support Insights (JSI)
Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.
vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.
AnalysisAI
Full device takeover in Juniper Networks Support Insights Virtual Lightweight Collector (vLWC) before 3.0.94 via hardcoded default credentials. The vLWC software ships with an unchangeable initial password for a high-privileged account with no enforced password change during provisioning, enabling unauthenticated remote attackers to gain complete system control. CVSS v4.0 score 9.3 (Critical). No public exploit identified at time of analysis.
Technical ContextAI
CWE-1393 use-of-default-credentials vulnerability. The vLWC provisioning workflow fails to mandate credential rotation for factory-set high-privilege accounts, leaving production deployments accessible via predictable authentication material embedded in the software image. Root cause is insufficient credential lifecycle enforcement in initial setup procedures.
RemediationAI
Vendor-released patch: Upgrade all vLWC deployments to version 3.0.94 or later immediately. For installations currently running affected versions, perform emergency password rotation for all high-privileged accounts before upgrade to prevent unauthorized access during migration window. Post-upgrade, validate that default credentials have been changed and implement monitoring for authentication attempts using legacy credential patterns. Disable remote management interfaces on affected systems until patching completes. Organizations unable to patch immediately must isolate vLWC instances behind strict network access controls restricting connectivity to trusted management networks only. Full vendor security advisory with upgrade instructions: https://kb.juniper.net/JSA107871
Same weakness CWE-1393 – Use of Default Password
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21203
GHSA-g6hm-r7f2-4j2f