CVE-2026-33784
Published: 09 April 2026
Summary
CVE-2026-33784 is a critical-severity Use of Default Password (CWE-1393) vulnerability in Juniper Networks Support (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 17.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires changing default authenticators prior to first use, preventing exploitation of the unchanged default password for the high-privileged account in vLWC.
Ensures proper management of accounts, including high-privileged ones, by disabling unnecessary accounts and enforcing secure provisioning without default credentials.
Mandates timely remediation of identified flaws, such as upgrading vLWC to version 3.0.94 or later to address the default password vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is the use of default passwords on a high-privileged account without enforcement of change, directly enabling remote unauthenticated attackers to obtain and abuse default credentials for full device compromise (Initial Access).
NVD Description
A Use of Default Password vulnerability in the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device. vLWC software images ship with an initial password for a high…
more
privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.
Deeper analysisAI
CVE-2026-33784 is a Use of Default Password vulnerability (CWE-1393) in the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC). The vLWC software images ship with an initial password for a high-privileged account, and a change of this password is not enforced during provisioning. This flaw affects all versions of vLWC prior to 3.0.94 and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete compromise.
An unauthenticated, network-based attacker can exploit this vulnerability by using the default credentials to gain full control of the affected vLWC device. No special privileges, user interaction, or complex conditions are required, allowing remote exploitation over the network.
The Juniper Networks security advisory at https://kb.juniper.net/JSA107871 provides details on mitigation, which includes upgrading to vLWC version 3.0.94 or later where the issue is addressed.
Details
- CWE(s)