Which versions of Juniper are affected by CVE-2026-33784?

Juniper Networks Support Insights vLWC versions before 3.0.94 contain hardcoded default credentials that allow unauthenticated attackers to achieve full device takeover, creating a critical remote…. A patch is available.

How to fix or mitigate CVE-2026-33784?

Within 24 hours: Identify all Juniper vLWC deployments and document current versions. Within 7 days: Apply vendor-released patch to vLWC 3.0.94 or later to all affected instances. Within 30 days: Audit access logs for unauthorized authentication attempts to vLWC systems and verify password change enforcement is active post-patch.

Juniper CVE-2026-33784

Q: What is the CVSS score of CVE-2026-33784?

CVE-2026-33784 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-21203 CRITICAL

Use of Default Password (CWE-1393)

2026-04-09 sirt@juniper.net

GHSA-g6hm-r7f2-4j2f

Authentication Bypass Juniper

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 05:44 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

3.0.94

EUVD ID Assigned

Apr 09, 2026 - 22:22 euvd

EUVD-2026-21203

Analysis Generated

Apr 09, 2026 - 22:22 vuln.today

CVE Published

Apr 09, 2026 - 22:16 nvd

CRITICAL 9.3

DescriptionNVD

A Use of Default Password vulnerability in the Juniper Networks

Support Insights (JSI)

Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.

vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.

AnalysisAI

Full device takeover in Juniper Networks Support Insights Virtual Lightweight Collector (vLWC) before 3.0.94 via hardcoded default credentials. The vLWC software ships with an unchangeable initial password for a high-privileged account with no enforced password change during provisioning, enabling unauthenticated remote attackers to gain complete system control. …

RemediationAI

Within 24 hours: Identify all Juniper vLWC deployments and document current versions. Within 7 days: Apply vendor-released patch to vLWC 3.0.94 or later to all affected instances. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-48687 CRITICAL Act Now

9.8 May 26

OS command injection in FastNetMon Community Edition (through 1.2.9) lets attacker-controlled input reach an unescaped e

CVE-2026-33784 vulnerability details – vuln.today

Back

Juniper CVE-2026-33784

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

More from same product – last 7 days

Share

Juniper CVE-2026-33784

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Share

External POC / Exploit Code