Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Remote, unauthenticated, single well-known credential and no lockout give AV:N/AC:L/PR:N/UI:N; admin control over config yields C:H/I:H, with A:N kept per the described impact.
Primary rating from Vendor (securin).
CVSS VectorVendor: securin
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
UltraVNC repeater through 1.8.2.2 initializes the HTTP administration server with a hardcoded default password. In repeater/webgui/settings.c:197, when settings2.txt is absent on first run the repeater writes the literal string "adminadmi2" as the admin password via strcpy_s(saved_password, 64, "adminadmi2"). The HTTP Basic-auth handler wi_decode_auth() checks this password without rate-limiting or lockout. Any remote attacker who can reach the repeater HTTP port (default TCP 80) can authenticate as administrator using the well-known default credential on a fresh or unmodified installation, gaining full control of the repeater configuration including allow/deny rules and session visibility.
AnalysisAI
Authentication via hardcoded default credentials in UltraVNC repeater through 1.8.2.2 lets any remote attacker who can reach the HTTP administration port (default TCP 80) log in as administrator. On a fresh or unmodified install where settings2.txt is absent, the repeater writes the literal password 'adminadmi2', and the Basic-auth handler enforces no rate-limiting or lockout, so a single well-known credential yields full control over allow/deny rules and session visibility. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The repeater must be running its HTTP web administration server (default TCP 80) and be reachable over the network by the attacker, and the installation must still use the first-run default password 'adminadmi2' - i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent toward high priority: the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, C:H/I:H) describes trivially remote, unauthenticated, low-complexity administrative access, and hardcoded-credential bugs are among the easiest to weaponize because no exploit tooling is needed - the attacker simply types 'adminadmi2'. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans for repeater HTTP admin ports exposed on the internet or an internal network, opens the interface, and authenticates with the documented default 'adminadmi2' since the operator never changed it. With administrator access they rewrite allow/deny rules to route or observe VNC sessions, pivoting toward the remote-desktop endpoints the repeater brokers. … |
| Remediation | No vendor-released fixed version was identified in the provided data, so treat patch availability as unconfirmed and monitor https://uvnc.com/ and https://github.com/ultravnc/UltraVNC for an update. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running UltraVNC repeater through version 1.8.2.2; assess network exposure of HTTP administration port (TCP 80). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allow
UltraVNC versions up to 1.6.4.0 suffer from an uncontrolled search path vulnerability in version.dll loaded by the Servi
UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allow
Remote code execution in the UltraVNC repeater (through version 1.8.2.2) allows an unauthenticated attacker who can reac
Remote code execution in the UltraVNC Viewer (all versions through 1.8.2.2) stems from an integer overflow in the RFB fa
Denial of service in the UltraVNC viewer (vncviewer) through 1.8.2.2 arises from an off-by-one stack buffer overflow in
Credential disclosure in UltraVNC through 1.8.2.2 lets a passive network observer break the MS-Logon II authentication h
Remote code execution in the UltraVNC Repeater (through version 1.8.2.2) allows an authenticated administrator to corrup
Out-of-bounds read in UltraVNC through version 1.8.2.2 allows network-authenticated attackers to potentially crash the V
UltraVNC through 1.8.2.2 exposes a cryptographically weak VNC authentication challenge generator that an attacker can pr
Heap buffer overflow in UltraVNC Repeater through 1.8.2.2 stems from an integer overflow in the HTTP request logging fun
UltraVNC Repeater through 1.8.2.2 harbors a latent off-by-one stack buffer boundary condition in its HTTP Basic authenti
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40885
GHSA-h7cc-6wq3-9h7x