Cyber Resilience

CVE-2026-33771

Critical

Published: 09 April 2026

Published
09 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v4 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:X
EPSS Score 0.0024 15.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33771 is a critical-severity Weak Password Requirements (CWE-521) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33771 is a weak password requirements vulnerability in the password management function of Juniper Networks CTP OS. The password management menu allows administrators to configure password complexity requirements, but these settings are not saved persistently. This can be verified using the "Show password requirements" menu option, resulting in the enforcement of no or minimal complexity rules. Consequently, weak passwords can be set for local accounts, increasing the risk of brute-force or guessing attacks. The vulnerability affects CTP OS versions 9.2R1 and 9.2R2, with a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-521 (Weak Password Requirements).

An unauthenticated, network-based attacker can exploit this vulnerability by targeting local account passwords that fail to meet intended complexity standards. Due to the lack of enforced requirements, attackers may guess or brute-force these weak passwords over the network, potentially gaining unauthorized access to the device. Successful exploitation could enable full control of the affected CTP OS instance, compromising confidentiality and integrity of the system, though availability is not directly impacted.

The Juniper Networks security advisory at https://kb.juniper.net/JSA107864 details mitigation steps and available patches for this issue. Security practitioners should consult this advisory for version-specific upgrade guidance to address the persistent storage failure of password complexity settings.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A Weak Password Requirements vulnerability in the password management function of Juniper Networks CTP OS might allow an unauthenticated, network-based attacker to exploit weak passwords of local accounts and potentially take full control of the device. The password management menu…

more

enables the administrator to set password complexity requirements, but these settings are not saved. The issue can be verified with the menu option "Show password requirements". Failure to enforce the intended requirements can lead to weak passwords being used, which significantly increases the likelihood that an attacker can guess these and subsequently attain unauthorized access. This issue affects CTP OS versions 9.2R1 and 9.2R2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
T1078.003 Local Accounts Stealth
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Vulnerability allows weak passwords for local accounts due to unenforced complexity rules, directly enabling brute force and password guessing attacks (T1110.001) to obtain and abuse valid local accounts (T1078.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-55269Shared CWE-521
CVE-2023-37398Shared CWE-521
CVE-2023-35907Shared CWE-521
CVE-2025-25749Shared CWE-521
CVE-2025-25211Shared CWE-521
CVE-2025-1341Shared CWE-521
CVE-2025-55252Shared CWE-521
CVE-2026-6284Shared CWE-521
CVE-2025-63747Shared CWE-521
CVE-2026-25715Shared CWE-521

Affected Assets

CTP OS
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 mandates management of authenticators including establishment of sufficient strength of mechanism and complexity requirements, directly preventing the use of weak passwords due to unenforced settings.

prevent

SI-2 requires identification, reporting, and timely remediation of system flaws, directly addressing the software defect causing failure to persistently save password complexity configurations.

prevent

AC-7 limits brute-force and guessing attacks on weak local account passwords by enforcing lockout after unsuccessful logon attempts.

References