Skip to main content

Ultravnc EUVDEUVD-2026-16725

| CVE-2026-4962 MEDIUM
Uncontrolled Search Path Element (CWE-427)
2026-03-27 VulDB GHSA-x2c8-7fp3-5gg6
6.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
HIGH MEDIUM
CVSS changed
Apr 29, 2026 - 01:11 NVD
7.3 (HIGH) 6.4 (MEDIUM)
PoC Detected
Mar 30, 2026 - 13:26 vuln.today
Public exploit code
EUVD ID Assigned
Mar 27, 2026 - 17:15 euvd
EUVD-2026-16725
Analysis Generated
Mar 27, 2026 - 17:15 vuln.today
CVE Published
Mar 27, 2026 - 17:05 nvd
HIGH 7.3

DescriptionCVE.org

A security flaw has been discovered in UltraVNC up to 1.6.4.0. Affected by this issue is some unknown functionality in the library version.dll of the component Service. The manipulation results in uncontrolled search path. The attack needs to be approached locally. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

AnalysisAI

UltraVNC versions up to 1.6.4.0 suffer from an uncontrolled search path vulnerability in version.dll loaded by the Service component, enabling local attackers with low privileges to achieve code execution with elevated privileges through DLL hijacking. Publicly available exploit code exists (Google Drive link in references), and the vendor has not responded to disclosure attempts. While the CVSS score is 7.3, exploitation requires local access, high attack complexity, and is considered difficult to execute, tempering immediate risk for most deployments.

Technical ContextAI

The vulnerability affects the UltraVNC remote desktop software (CPE: cpe:2.3:a:n/a:ultravnc:*:*:*:*:*:*:*:*) and stems from CWE-427 (Uncontrolled Search Path Element). The Service component of UltraVNC loads version.dll without properly validating its location, allowing attackers to place a malicious DLL in a directory that is searched before the legitimate library location. This is a classic DLL hijacking or binary planting attack where Windows searches directories in a predictable order, and an attacker can exploit this to inject malicious code that executes with the privileges of the service process. The vulnerability specifically targets the service component, which typically runs with SYSTEM-level privileges, making successful exploitation highly valuable for privilege escalation.

RemediationAI

No vendor-released patch is available at time of analysis, as the UltraVNC vendor did not respond to disclosure attempts. Until an official patch is released, implement defense-in-depth measures: restrict local user privileges on systems running UltraVNC Service to prevent unauthorized DLL placement, enforce application whitelisting or endpoint detection controls to block unauthorized DLL loads, audit directory permissions in the UltraVNC installation path and Windows system directories to prevent write access by low-privileged users, and consider disabling the UltraVNC Service if not operationally required. Monitor VulDB entries at https://vuldb.com/?id.353839 and the UltraVNC project repository for future patch availability. Organizations with high security requirements should evaluate alternative remote desktop solutions with active maintenance and security response programs.

CVE-2020-37133 HIGH POC
7.5 Feb 05

UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allow

CVE-2020-37132 MEDIUM POC
6.2 Feb 05

UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allow

CVE-2019-8280 CRITICAL
9.8 Mar 08

UltraVNC revision 1203 has out-of-bounds access vulnerability in VNC client inside RAW decoder, which can potentially re

CVE-2019-8275 CRITICAL
9.8 Mar 08

UltraVNC revision 1211 has multiple improper null termination vulnerabilities in VNC server code, which result in out-of

CVE-2019-8274 CRITICAL
9.8 Mar 08

UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer offer handler, w

CVE-2019-8273 CRITICAL
9.8 Mar 08

UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer request handler,

CVE-2019-8272 CRITICAL
9.8 Mar 08

UltraVNC revision 1211 has multiple off-by-one vulnerabilities in VNC server code, which can potentially result in code

CVE-2019-8271 CRITICAL
9.8 Mar 08

UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer handler, which c

CVE-2019-8268 CRITICAL
9.8 Mar 08

UltraVNC revision 1206 has multiple off-by-one vulnerabilities in VNC client code connected with improper usage of Clien

CVE-2019-8266 CRITICAL
9.8 Mar 08

UltraVNC revision 1207 has multiple out-of-bounds access vulnerabilities connected with improper usage of ClientConnecti

CVE-2019-8265 CRITICAL
9.8 Mar 08

UltraVNC revision 1207 has multiple out-of-bounds access vulnerabilities connected with improper usage of SETPIXELS macr

CVE-2019-8264 CRITICAL
9.8 Mar 08

UltraVNC revision 1203 has out-of-bounds access vulnerability in VNC client inside Ultra2 decoder, which can potentially

Share

EUVD-2026-16725 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy