Description
A Use of Default Password vulnerability in the Juniper Networks

Support Insights (JSI)

Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.

vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.
Published: 2026-04-09
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Full device control via default credentials
Action: Patch immediately
AI Analysis

Impact

The JSI Virtual Lightweight Collector (vLWC) ships with a predetermined high‑privileged account password that is never required to be changed during first‑time provisioning. If the password is left at its default value, an attacker can authenticate using those credentials and obtain full administrative control over the device. This allows the compromise of confidentiality, integrity, and availability of the system, because the attacker can reconfigure settings, access data, or disrupt operations. The weakness matches CWE‑1393, the use of default credentials.

Affected Systems

All Juniper Networks JSI Virtual Lightweight Collector software images older than version 3.0.94 are impacted. Older releases still contain the default high‑privileged password and thus remain vulnerable. Vendors recommend upgrading to release 3.0.94 or newer.

Risk and Exploitability

The vulnerability scores a 9.3 on the CVSS scale, indicating critical severity. No EPSS value is available, and the issue is not listed in the CISA KEV catalog. Nonetheless, the attack vector is straightforward: an unauthenticated, network‑based attacker can reach the device’s management interface and log in with the default credentials immediately after deployment, requiring no prior foothold. Therefore the risk level is high and exploitation is likely under suitable conditions.

Generated by OpenCVE AI on April 9, 2026 at 23:52 UTC.

Remediation

Vendor Solution

The following software releases have been updated to resolve this specific issue: 3.0.94, and all subsequent releases.

Vendor Workaround

The password can be changed in the setup menu of the device, which is described at  Configure Network Settings through JSI Shell | Juniper Support Insights | Juniper Networks https://www.juniper.net/documentation/us/en/software/jsi/vlwc-deploy/topics/topic-map/configure-settings-jsi-shell.html

OpenCVE Recommended Actions

  • Upgrade JSI LWC to version 3.0.94 or later
  • Immediately change the default high‑privileged account password following the setup menu procedure if an upgrade is not possible

Generated by OpenCVE AI on April 9, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://kb.juniper.net/JSA107871 cve-icon cve-icon
History

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Juniper Networks
Juniper Networks jsi Lwc
Vendors & Products Juniper Networks
Juniper Networks jsi Lwc

Thu, 09 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description A Use of Default Password vulnerability in the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device. vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.
Title JSI Virtual Lightweight Collector: Default password is not required to be changed which allows unauthorized high-privileged access
Weaknesses CWE-1393
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/AU:Y/R:U/RE:L'}

Subscriptions

Juniper Networks Jsi Lwc
cve-icon MITRE

Status: PUBLISHED

Assigner: juniper

Published:

Updated: 2026-04-09T21:36:37.519Z

Reserved: 2026-03-23T19:46:13.670Z

Link: CVE-2026-33784

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T22:16:27.820

Modified: 2026-04-09T22:16:27.820

Link: CVE-2026-33784

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:27:50Z

Weaknesses