Juniper Networks default password exposes admin

Patch now - CVE-2026-33784 is a critical use-of-default-password flaw in Juniper vLWC before 3.0.94 that grants unauthenticated attackers full administrative control. Immediately upgrade to v3.0.94 to block exploitation.

Overview

A critical vulnerability, CVE-2026-33784, exists in Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC). The software ships with a known, high-privilege default password that is not required to be changed during initial setup. This allows any unauthenticated attacker on the network to log in and take complete administrative control of the device.

Technical Details

The vulnerability is a Use of Default Password flaw. All vLWC software images before version 3.0.94 contain a static, built-in credential for a powerful system account. Because the provisioning process does not enforce a password change, systems can be deployed and left running with this publicly known default password intact. The CVSS v3.1 base score of 9.8 (CRITICAL) reflects the ease of exploitation: an attacker needs no privileges, no user interaction, and can launch the attack over the network.

Impact

If exploited, this vulnerability grants an attacker full administrative access to the vLWC appliance. From this position, they could disrupt network monitoring services, exfiltrate sensitive network performance and configuration data collected by the device, or use the compromised system as a foothold for lateral movement within the network. This poses a significant risk to network integrity and data confidentiality.

Remediation and Mitigation

The primary and immediate action is to apply the vendor-provided patch.

• Patch Immediately: Upgrade the Juniper vLWC software to version 3.0.94 or later. This version addresses the vulnerability. Juniper’s security bulletin contains specific upgrade instructions.
• Change Default Credentials: For any vLWC instances that cannot be patched immediately, it is essential to manually change the default password for all accounts. Ensure new passwords are strong and unique.
• Network Segmentation: Restrict network access to the vLWC management interfaces to only authorized administrative networks, minimizing its attack surface.

For the latest updates on vulnerabilities and patches, monitor our security news feed.

Security Insight

This incident highlights the persistent risk of default credential vulnerabilities in network appliances, a class of flaw often targeted by botnets for initial access. It serves as a reminder that automated deployment and provisioning scripts must explicitly include credential rotation steps; assuming manual intervention will occur is a security gap. Similar past incidents in other vendors’ products have led to widespread compromise of management infrastructure.

Update - May 2026

Since the original publication of CVE-2026-33784 on 2026-04-09, Juniper Networks released an updated security advisory (JSA81234, rev. 2) on 2026-05-01, expanding affected Junos OS versions to include 24.4R2 and 25.1R1. Patches are available via the Juniper Support Portal; no workaround exists. The advisory now credits external researcher disclosure but reports no evidence of active exploitation in the wild.

As of 2026-05-15, CVE-2026-33784 has not been added to CISA KEV, though monitoring continues. EPSS score rose slightly from 0.00041 (18th percentile) to 0.0006 (19th percentile), indicating a marginal increase in exploit chatter but overall low likelihood of widespread exploitation.

Two related CVEs in the same attack pattern were published in late April: CVE-2026-34211 (default credentials in Juniper SSR) and CVE-2026-34212 (hardcoded password in Juniper Mist cloud APIs). Defenders should assess exposure across all three.

Recommended actions: Immediately change all default credentials on exposed Juniper devices, prioritize internet-facing management interfaces, and review access logs for unauthorized authentication attempts. Apply the latest Junos OS patches and enable multi-factor authentication on administrative accounts.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs