Juniper Networks Patches Dozens of Junos OS Vulnerabilities

Summary

Juniper Networks released patches for approximately 30 vulnerabilities across Junos OS, Junos OS Evolved, CTP OS, and Apstra products. The most critical flaw is CVE-2026-33784 (CVSS 9.8), a default password vulnerability in Support Insights Virtual Lightweight Collector that allows unauthenticated remote takeover. Juniper stated it is not aware of active exploitation of any of these flaws in the wild.

Full text

Juniper Networks this week released patches for nearly three dozen vulnerabilities, including Junos OS and Junos OS Evolved bugs that could lead to privilege escalation, denial-of-service (DoS), and command execution. The most severe of the flaws is CVE-2026-33784 (CVSS score of 9.8), a default password in the Support Insights (JSI) Virtual Lightweight Collector (vLWC) that could be exploited remotely to take over a vulnerable device. “vLWC software images ship with an initial password for a high-privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible,” Juniper Networks explains. Juniper Networks also resolved a weak password issue in CTP OS that could allow remote, unauthenticated attackers to potentially take full control of the device. Tracked as CVE-2026-33771, the security defect exists because settings related to password complexity requirements are not saved, leading to the use of weak passwords that could be guessed and exploited. A high-severity SSH host key validation vulnerability in Juniper Networks Apstra could be abused in machine-in-the-middle (MITM) attacks to capture user credentials.Advertisement. Scroll to continue reading. Multiple high-severity flaws in Junos OS could allow attackers to cause DoS conditions via crafted packets, directly access FPCs installed on devices, gain root privileges and take over devices, and execute commands to compromise managed devices. The remaining security defects addressed this week are medium-severity flaws that could allow attackers to cause DoS conditions, execute commands with elevated privileges, gain root privileges, impact the integrity of downstream networks, read sensitive information, bypass the configured firewall filter, or inject arbitrary shell commands as root. Juniper Networks says it is not aware of any of these vulnerabilities being exploited in the wild. Additional information can be found on the company’s support portal. Related: Orthanc DICOM Vulnerabilities Lead to Crashes, RCE Related: Chrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000 Related: Palo Alto Networks, SonicWall Patch High-Severity Vulnerabilities Related: Cisco Patches Critical and High-Severity Vulnerabilities Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Google API Keys in Android Apps Expose Gemini Endpoints to Unauthorized AccessPalo Alto Networks, SonicWall Patch High-Severity VulnerabilitiesGoogle Warns of New Campaign Targeting BPOs to Steal Corporate Data300,000 People Impacted by Eurail Data BreachRCE Bug Lurked in Apache ActiveMQ Classic for 13 YearsFBI: Cybercrime Losses Neared $21 Billion in 2025Evasive Masjesu DDoS Botnet Targets IoT DevicesHackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to Takeover Latest News Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback FridayOrthanc DICOM Vulnerabilities Lead to Crashes, RCEChrome 147 Patches 60 Vulnerabilities, Including Two Critical Flaws Worth $86,000MITRE Releases Fight Fraud FrameworkCritical Marimo Flaw Exploited Hours After Public DisclosureGoogle Rolls Out Cookie Theft Protections in ChromeMicrosoft Finds Vulnerability Exposing Millions of Android Crypto Wallet UsersApple Intelligence AI Guardrails Bypassed in New Attack Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveBlack Duck has named Dom Glavach as Chief Information Security Officer.Finite State has named Ann Miller as Vice President of Marketing.Yael Nardi has joined Minimus as Chief Business Officer.More People On The MoveExpert Insights The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-33784
• cve — CVE-2026-33771

Entities