CVE-2026-33771
Published: 09 April 2026
Summary
CVE-2026-33771 is a high-severity Weak Password Requirements (CWE-521) vulnerability. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 mandates management of authenticators including establishment of sufficient strength of mechanism and complexity requirements, directly preventing the use of weak passwords due to unenforced settings.
SI-2 requires identification, reporting, and timely remediation of system flaws, directly addressing the software defect causing failure to persistently save password complexity configurations.
AC-7 limits brute-force and guessing attacks on weak local account passwords by enforcing lockout after unsuccessful logon attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability allows weak passwords for local accounts due to unenforced complexity rules, directly enabling brute force and password guessing attacks (T1110.001) to obtain and abuse valid local accounts (T1078.003).
NVD Description
A Weak Password Requirements vulnerability in the password management function of Juniper Networks CTP OS might allow an unauthenticated, network-based attacker to exploit weak passwords of local accounts and potentially take full control of the device. The password management menu…
more
enables the administrator to set password complexity requirements, but these settings are not saved. The issue can be verified with the menu option "Show password requirements". Failure to enforce the intended requirements can lead to weak passwords being used, which significantly increases the likelihood that an attacker can guess these and subsequently attain unauthorized access. This issue affects CTP OS versions 9.2R1 and 9.2R2.
Deeper analysisAI
CVE-2026-33771 is a weak password requirements vulnerability in the password management function of Juniper Networks CTP OS. The password management menu allows administrators to configure password complexity requirements, but these settings are not saved persistently. This can be verified using the "Show password requirements" menu option, resulting in the enforcement of no or minimal complexity rules. Consequently, weak passwords can be set for local accounts, increasing the risk of brute-force or guessing attacks. The vulnerability affects CTP OS versions 9.2R1 and 9.2R2, with a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-521 (Weak Password Requirements).
An unauthenticated, network-based attacker can exploit this vulnerability by targeting local account passwords that fail to meet intended complexity standards. Due to the lack of enforced requirements, attackers may guess or brute-force these weak passwords over the network, potentially gaining unauthorized access to the device. Successful exploitation could enable full control of the affected CTP OS instance, compromising confidentiality and integrity of the system, though availability is not directly impacted.
The Juniper Networks security advisory at https://kb.juniper.net/JSA107864 details mitigation steps and available patches for this issue. Security practitioners should consult this advisory for version-specific upgrade guidance to address the persistent storage failure of password complexity settings.
Details
- CWE(s)