JSI Virtual Lightweight Collector: Default password is not required to...

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

A Use of Default Password vulnerability in the Juniper Networks

Support Insights (JSI)

Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.

vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.

AI Analysis

Use of Default Password vulnerability allowing unauthorized high-privileged access

Basic Information

ID CVE-2026-33784

Source juniper

Published Apr 9, 2026 at 21:36

Affected Product

Vendor Juniper Networks

Product JSI LWC

Affected Versions Juniper Networks JSI LWC 0

CWE Classification

CWE-1393

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Juniper Networks

Product JSI Virtual Lightweight Collector (vLWC)

Version All versions before 3.0.94

References

kb.juniper.net /JSA107871

{
    "lastseen": "",
    "description": "A Use of Default Password vulnerability in the Juniper Networks \n\nSupport Insights (JSI) \n\nVirtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.\n\nvLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.",
    "published": "2026-04-09T21:36:37.519Z",
    "modified": "2026-04-09T21:36:37.519Z",
    "type": "cve",
    "title": "JSI Virtual Lightweight Collector: Default password is not required to be changed which allows unauthorized high-privileged access",
    "source": "juniper",
    "references": "https://kb.juniper.net/JSA107871",
    "id": "CVE-2026-33784",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1393"
    ],
    "cvelist": null,
    "sourceData": "Juniper Networks JSI LWC 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "JSI LWC",
    "version": "0",
    "vendor": "Juniper Networks",
    "ai_description": "Use of Default Password vulnerability allowing unauthorized high-privileged access",
    "ai_severity": "Critical",
    "ai_vendor": "Juniper Networks",
    "ai_product": "JSI Virtual Lightweight Collector (vLWC)",
    "ai_version": "All versions before 3.0.94",
    "ai_score": 9.8
}

JSI Virtual Lightweight Collector: Default password is not required to be changed which allows unauthorized high-privileged access_CVE-2026-33784