Juniper default password flaw can hand attackers full control of vLWC appliances

Juniper Networks has disclosed a critical flaw in its Support Insights Virtual Lightweight Collector that can let an unauthenticated attacker take full control of the device over the network if the default high-privilege password was never changed. The issue is tracked as CVE-2026-33784 and affects JSI vLWC versions before 3.0.94.

This is a default-password problem, but the impact is unusually severe. Juniper says vLWC images ship with an initial password for a highly privileged account, and the product did not force admins to replace that password during provisioning. That leaves exposed appliances open to takeover if they still use the factory-set credential.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

The severity score reflects that risk. Public vulnerability listings and downstream advisories place CVE-2026-33784 at 9.8 on the CVSS v3.1 scale, with network access, low attack complexity, no required privileges, and no user interaction.

Why this Juniper flaw matters

A successful login with the default privileged password gives an attacker broad control over the appliance. That can mean access to sensitive support and diagnostic data, configuration changes, service disruption, and a possible foothold for deeper movement inside the network. Those outcomes follow directly from Juniper’s description that the flaw can allow full control of the device.

The affected product is not Junos itself but JSI vLWC, which many organizations use to support automated monitoring and support workflows in Juniper environments. Canada’s Cyber Centre included JSI vLWC versions prior to 3.0.94 in its April 9 advisory roundup and urged administrators to review Juniper’s guidance and apply the necessary updates.

Juniper says it found the issue internally. At the time reflected in the advisory trail, no public evidence pointed to active exploitation in the wild, but default-password weaknesses rarely stay quiet for long once they become public because they are easy to scan and easy to automate.

Affected versions and fix

The vulnerable range covers all Juniper Support Insights Virtual Lightweight Collector versions before 3.0.94. Juniper’s remedy is straightforward: upgrade to 3.0.94 or later.

If an immediate upgrade is not possible, Juniper says administrators can still change the password through the device setup menu. That does not replace patching, but it closes the most dangerous exposure if the system still uses the original credential.

Quick view

What administrators should do now

• Upgrade every affected JSI vLWC appliance to version 3.0.94 or later.
• Check whether any deployed collector still uses the factory-set privileged password.
• Change that password immediately if patching cannot happen at once.
• Restrict network exposure to vLWC systems and review who can reach them. This step is a reasonable defensive measure because the issue is network-reachable and unauthenticated.
• Review logs and recent access activity for any sign of unexpected administrative logins. This is a prudent response given the full-control impact described in the advisory.

FAQ