The “Open Door” Vulnerability: Unchanged Default Passwords Put Juniper vLWC at Risk
Ddos 
In a critical security alert, Juniper Networks has warned of a severe vulnerability in its Support Insights (JSI) Virtual Lightweight Collector (vLWC). The flaw, tracked as CVE-2026-33784, carries a CVSS score of 9.8, signaling that unpatched systems are essentially an open door for network-based attackers.
The vLWC is a key component for providing automated support and health monitoring for Juniper environments, but a fundamental oversight in its provisioning process has left it highly exposed.
The vulnerability centers on the “Use of Default Password,” a classic security pitfall. According to the advisory, a “default password is not required to be changed which allows unauthorized high-privileged access”.
Unlike modern security protocols that force users to create a unique password upon first login, the vLWC software images “ship with an initial password for a high privileged account”. Crucially, a “change of this password is not enforced during the provisioning of the software”. This means that any attacker aware of the factory-default credentials can potentially gain full, high-level access to the system without ever needing to crack a complex hash.
Because the affected account holds high-level privileges, the impact of a successful breach is total. The advisory states that the vulnerability “allows an unauthenticated, network-based attacker to take full control of the device”.
Once an attacker has seized control of a Virtual Lightweight Collector, they could potentially:
- Intercept Data: Monitor and exfiltrate diagnostic data intended for Juniper support.
- Establish Persistence: Create new administrative accounts to ensure long-term access.
- Pivot: Use the compromised collector as a foothold to move laterally into more sensitive areas of the corporate network.
This issue specifically impacts the virtualized version of the lightweight collector:
- Product: Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC).
- Affected Versions: All versions prior to 3.0.94.
Juniper has moved quickly to close this gap by releasing an updated software image. The version 3.0.94 release and all subsequent versions have been updated to enforce secure password management.
If an immediate update is not possible, administrators must manually intervene. The advisory confirms that “the password can be changed in the setup menu of the device”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
