Severity by source
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A security flaw has been discovered in UltraVNC up to 1.6.4.0. Affected by this issue is some unknown functionality in the library version.dll of the component Service. The manipulation results in uncontrolled search path. The attack needs to be approached locally. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
AnalysisAI
UltraVNC versions up to 1.6.4.0 suffer from an uncontrolled search path vulnerability in version.dll loaded by the Service component, enabling local attackers with low privileges to achieve code execution with elevated privileges through DLL hijacking. Publicly available exploit code exists (Google Drive link in references), and the vendor has not responded to disclosure attempts. While the CVSS score is 7.3, exploitation requires local access, high attack complexity, and is considered difficult to execute, tempering immediate risk for most deployments.
Technical ContextAI
The vulnerability affects the UltraVNC remote desktop software (CPE: cpe:2.3:a:n/a:ultravnc:*:*:*:*:*:*:*:*) and stems from CWE-427 (Uncontrolled Search Path Element). The Service component of UltraVNC loads version.dll without properly validating its location, allowing attackers to place a malicious DLL in a directory that is searched before the legitimate library location. This is a classic DLL hijacking or binary planting attack where Windows searches directories in a predictable order, and an attacker can exploit this to inject malicious code that executes with the privileges of the service process. The vulnerability specifically targets the service component, which typically runs with SYSTEM-level privileges, making successful exploitation highly valuable for privilege escalation.
RemediationAI
No vendor-released patch is available at time of analysis, as the UltraVNC vendor did not respond to disclosure attempts. Until an official patch is released, implement defense-in-depth measures: restrict local user privileges on systems running UltraVNC Service to prevent unauthorized DLL placement, enforce application whitelisting or endpoint detection controls to block unauthorized DLL loads, audit directory permissions in the UltraVNC installation path and Windows system directories to prevent write access by low-privileged users, and consider disabling the UltraVNC Service if not operationally required. Monitor VulDB entries at https://vuldb.com/?id.353839 and the UltraVNC project repository for future patch availability. Organizations with high security requirements should evaluate alternative remote desktop solutions with active maintenance and security response programs.
UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allow
UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allow
UltraVNC revision 1203 has out-of-bounds access vulnerability in VNC client inside RAW decoder, which can potentially re
UltraVNC revision 1211 has multiple improper null termination vulnerabilities in VNC server code, which result in out-of
UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer offer handler, w
UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer request handler,
UltraVNC revision 1211 has multiple off-by-one vulnerabilities in VNC server code, which can potentially result in code
UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer handler, which c
UltraVNC revision 1206 has multiple off-by-one vulnerabilities in VNC client code connected with improper usage of Clien
UltraVNC revision 1207 has multiple out-of-bounds access vulnerabilities connected with improper usage of ClientConnecti
UltraVNC revision 1207 has multiple out-of-bounds access vulnerabilities connected with improper usage of SETPIXELS macr
UltraVNC revision 1203 has out-of-bounds access vulnerability in VNC client inside Ultra2 decoder, which can potentially
Same weakness CWE-427 – Uncontrolled Search Path Element
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16725
GHSA-x2c8-7fp3-5gg6