Skip to main content

UltraVNC Repeater EUVDEUVD-2026-40885

| CVE-2026-7839 CRITICAL
Use of Hard-coded Credentials (CWE-798)
2026-07-01 securin GHSA-h7cc-6wq3-9h7x
9.1
CVSS 3.1 · Vendor: securin
Share

Severity by source

Vendor (securin) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
9.1 CRITICAL

Remote, unauthenticated, single well-known credential and no lockout give AV:N/AC:L/PR:N/UI:N; admin control over config yields C:H/I:H, with A:N kept per the described impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (securin).

CVSS VectorVendor: securin

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 05:20 vuln.today

DescriptionCVE.org

UltraVNC repeater through 1.8.2.2 initializes the HTTP administration server with a hardcoded default password. In repeater/webgui/settings.c:197, when settings2.txt is absent on first run the repeater writes the literal string "adminadmi2" as the admin password via strcpy_s(saved_password, 64, "adminadmi2"). The HTTP Basic-auth handler wi_decode_auth() checks this password without rate-limiting or lockout. Any remote attacker who can reach the repeater HTTP port (default TCP 80) can authenticate as administrator using the well-known default credential on a fresh or unmodified installation, gaining full control of the repeater configuration including allow/deny rules and session visibility.

AnalysisAI

Authentication via hardcoded default credentials in UltraVNC repeater through 1.8.2.2 lets any remote attacker who can reach the HTTP administration port (default TCP 80) log in as administrator. On a fresh or unmodified install where settings2.txt is absent, the repeater writes the literal password 'adminadmi2', and the Basic-auth handler enforces no rate-limiting or lockout, so a single well-known credential yields full control over allow/deny rules and session visibility. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover exposed repeater HTTP admin port
Delivery
Send Basic-auth login with 'adminadmi2'
Exploit
wi_decode_auth() accepts hardcoded default
Execution
Gain administrator control of repeater
Impact
Alter allow/deny rules and view sessions

Vulnerability AssessmentAI

Exploitation The repeater must be running its HTTP web administration server (default TCP 80) and be reachable over the network by the attacker, and the installation must still use the first-run default password 'adminadmi2' - i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent toward high priority: the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, C:H/I:H) describes trivially remote, unauthenticated, low-complexity administrative access, and hardcoded-credential bugs are among the easiest to weaponize because no exploit tooling is needed - the attacker simply types 'adminadmi2'. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans for repeater HTTP admin ports exposed on the internet or an internal network, opens the interface, and authenticates with the documented default 'adminadmi2' since the operator never changed it. With administrator access they rewrite allow/deny rules to route or observe VNC sessions, pivoting toward the remote-desktop endpoints the repeater brokers. …
Remediation No vendor-released fixed version was identified in the provided data, so treat patch availability as unconfirmed and monitor https://uvnc.com/ and https://github.com/ultravnc/UltraVNC for an update. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running UltraVNC repeater through version 1.8.2.2; assess network exposure of HTTP administration port (TCP 80). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-37133 HIGH POC
7.5 Feb 05

UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allow

CVE-2026-4962 MEDIUM POC
6.4 Mar 27

UltraVNC versions up to 1.6.4.0 suffer from an uncontrolled search path vulnerability in version.dll loaded by the Servi

CVE-2020-37132 MEDIUM POC
6.2 Feb 05

UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allow

CVE-2026-7840 CRITICAL
9.3 Jul 01

Remote code execution in the UltraVNC repeater (through version 1.8.2.2) allows an unauthenticated attacker who can reac

CVE-2026-7838 HIGH
8.7 Jul 01

Remote code execution in the UltraVNC Viewer (all versions through 1.8.2.2) stems from an integer overflow in the RFB fa

CVE-2026-7831 HIGH
7.6 Jul 01

Denial of service in the UltraVNC viewer (vncviewer) through 1.8.2.2 arises from an off-by-one stack buffer overflow in

CVE-2026-7830 HIGH
7.4 Jul 01

Credential disclosure in UltraVNC through 1.8.2.2 lets a passive network observer break the MS-Logon II authentication h

CVE-2026-7829 HIGH
7.2 Jul 01

Remote code execution in the UltraVNC Repeater (through version 1.8.2.2) allows an authenticated administrator to corrup

CVE-2026-44041 MEDIUM
6.5 Jul 01

Out-of-bounds read in UltraVNC through version 1.8.2.2 allows network-authenticated attackers to potentially crash the V

CVE-2026-44040 MEDIUM
6.5 Jul 01

UltraVNC through 1.8.2.2 exposes a cryptographically weak VNC authentication challenge generator that an attacker can pr

CVE-2026-7828 MEDIUM
5.3 Jul 01

Heap buffer overflow in UltraVNC Repeater through 1.8.2.2 stems from an integer overflow in the HTTP request logging fun

CVE-2026-44042 LOW
3.7 Jul 01

UltraVNC Repeater through 1.8.2.2 harbors a latent off-by-one stack buffer boundary condition in its HTTP Basic authenti

Share

EUVD-2026-40885 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy