Juniper Networks default password exposes admin
CVE-2026-33784
A Use of Default Password vulnerability in the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control o...
Overview
A critical vulnerability, CVE-2026-33784, exists in Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC). The software ships with a known, high-privilege default password that is not required to be changed during initial setup. This allows any unauthenticated attacker on the network to log in and take complete administrative control of the device.
Technical Details
The vulnerability is a Use of Default Password flaw. All vLWC software images before version 3.0.94 contain a static, built-in credential for a powerful system account. Because the provisioning process does not enforce a password change, systems can be deployed and left running with this publicly known default password intact. The CVSS v3.1 base score of 9.8 (CRITICAL) reflects the ease of exploitation: an attacker needs no privileges, no user interaction, and can launch the attack over the network.
Impact
If exploited, this vulnerability grants an attacker full administrative access to the vLWC appliance. From this position, they could disrupt network monitoring services, exfiltrate sensitive network performance and configuration data collected by the device, or use the compromised system as a foothold for lateral movement within the network. This poses a significant risk to network integrity and data confidentiality.
Remediation and Mitigation
The primary and immediate action is to apply the vendor-provided patch.
- Patch Immediately: Upgrade the Juniper vLWC software to version 3.0.94 or later. This version addresses the vulnerability. Juniper’s security bulletin contains specific upgrade instructions.
- Change Default Credentials: For any vLWC instances that cannot be patched immediately, it is essential to manually change the default password for all accounts. Ensure new passwords are strong and unique.
- Network Segmentation: Restrict network access to the vLWC management interfaces to only authorized administrative networks, minimizing its attack surface.
For the latest updates on vulnerabilities and patches, monitor our security news feed.
Security Insight
This incident highlights the persistent risk of default credential vulnerabilities in network appliances, a class of flaw often targeted by botnets for initial access. It serves as a reminder that automated deployment and provisioning scripts must explicitly include credential rotation steps; assuming manual intervention will occur is a security gap. Similar past incidents in other vendors’ products have led to widespread compromise of management infrastructure.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not requi...
Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser `Utf8GraphQLParser` has no recursion depth limit. A cr...
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directo...
The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment ...