Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Successful auth bypass grants full desktop visibility and control (C:H/I:H); AC:H retained because attacker must observe a live challenge exchange to enumerate the seed.
Primary rating from Vendor (securin).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionNVD
UltraVNC through 1.8.2.2 uses a cryptographically weak pseudo-random number generator to produce VNC authentication challenge bytes. In rfb/vncauth.c:119-129, the vncRandomBytes() function seeds libc rand() with time(0) + getpid() + rand() and generates a 16-byte challenge. The combined seed space is approximately 31 bits (libc rand() internal state) and is entirely determined by publicly-observable values (wall-clock time and process ID). An attacker who can observe the authentication exchange can enumerate the seed space and predict the challenge within seconds, enabling forgery or offline brute-forcing of responses. Note: on Windows, the active code path may use vncEncryptBytes2.cpp which calls CryptGenRandom; reachability on shipped Windows binaries requires compile-graph verification and is under investigation.
AnalysisAI
UltraVNC through 1.8.2.2 exposes a cryptographically weak VNC authentication challenge generator that an attacker can predict by observing network traffic and enumerating a roughly 31-bit seed space derived from wall-clock time and process ID. Successful seed reconstruction allows the attacker to forge or brute-force valid VNC authentication responses, effectively bypassing the RFB challenge-response mechanism and gaining unauthorized remote desktop access. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker be able to passively observe the VNC RFB authentication exchange over the network - specifically, the 16-byte challenge transmitted in cleartext during the VNC security handshake. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N scores 4.8 (Medium), with AC:H reflecting the attacker's need to observe the authentication exchange and enumerate the seed space under timing constraints. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with visibility into VNC network traffic - via a compromised network segment, ARP spoofing, or a tap - captures the 16-byte RFB challenge transmitted in cleartext during a legitimate VNC login attempt. Using the known seed formula (time(0) + getpid() + rand()), the attacker enumerates approximately 2 billion seed candidates on commodity hardware, reconstructs the nonce, and submits a forged authentication response to establish an unauthorized VNC session. … |
| Remediation | No vendor-released patch has been identified at time of analysis - the available references point only to the vendor homepage (https://uvnc.com/) and the GitHub repository (https://github.com/ultravnc/UltraVNC) without specifying a fixed release version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allow
UltraVNC versions up to 1.6.4.0 suffer from an uncontrolled search path vulnerability in version.dll loaded by the Servi
UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allow
Remote code execution in the UltraVNC repeater (through version 1.8.2.2) allows an unauthenticated attacker who can reac
Authentication via hardcoded default credentials in UltraVNC repeater through 1.8.2.2 lets any remote attacker who can r
Remote code execution in the UltraVNC Viewer (all versions through 1.8.2.2) stems from an integer overflow in the RFB fa
Denial of service in the UltraVNC viewer (vncviewer) through 1.8.2.2 arises from an off-by-one stack buffer overflow in
Credential disclosure in UltraVNC through 1.8.2.2 lets a passive network observer break the MS-Logon II authentication h
Remote code execution in the UltraVNC Repeater (through version 1.8.2.2) allows an authenticated administrator to corrup
Out-of-bounds read in UltraVNC through version 1.8.2.2 allows network-authenticated attackers to potentially crash the V
Heap buffer overflow in UltraVNC Repeater through 1.8.2.2 stems from an integer overflow in the HTTP request logging fun
UltraVNC Repeater through 1.8.2.2 harbors a latent off-by-one stack buffer boundary condition in its HTTP Basic authenti
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40879
GHSA-j37g-g7hg-vhg6