CVE-2026-33784
Juniper · Support Insights (JSI) Virtual Lightweight Collector (vLWC)
Juniper Networks vLWC ships with a default password for a high-privileged account that is not enforced to be changed, allowing unauthenticated remote access.
Executive summary
A default password vulnerability in Juniper vLWC allows unauthenticated attackers to gain full administrative control over the appliance.
Vulnerability
The vLWC software utilizes a hardcoded or default password for a highly privileged account. Because the system does not mandate a password change during the initial provisioning process, unauthenticated network-based attackers can gain full control of the device.
Business impact
With a CVSS score of 9.8, this vulnerability represents an extreme security risk. A successful exploit grants the attacker total control over the appliance, which can be used as a pivot point for further lateral movement within the network or to intercept and manipulate management traffic.
Remediation
Immediate Action: Upgrade the vLWC software to version 3.0.94 or later immediately to enforce secure password policies.
Proactive Monitoring: Monitor for unauthorized login attempts and unusual administrative activity originating from unknown or unauthorized IP addresses.
Compensating Controls: Isolate the vLWC management interface within a restricted network segment (VLAN) and ensure access is limited to trusted administrators via VPN or jump hosts.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the critical nature of this vulnerability and the ease of unauthorized access, immediate action is required. Administrators must update the affected software and ensure that all administrative passwords are changed from their default state.