CVE-2026-3787 Overview
A DLL hijacking vulnerability has been identified in UltraVNC 1.6.4.0 on Windows platforms. This weakness affects an unknown function in the library cryptbase.dll within the Windows Service component. The vulnerability allows attackers with local access to manipulate the DLL search path, potentially leading to arbitrary code execution with elevated privileges. Exploitation requires a high degree of complexity and is reported as difficult.
Critical Impact
Local attackers can exploit the uncontrolled search path to load malicious DLLs, potentially achieving code execution with the privileges of the UltraVNC Windows Service.
Affected Products
- UltraVNC 1.6.4.0
- Microsoft Windows (all versions running affected UltraVNC)
Discovery Timeline
- 2026-03-08 - CVE-2026-3787 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2026-3787
Vulnerability Analysis
This vulnerability is classified as CWE-426 (Untrusted Search Path), a weakness that occurs when an application searches for critical resources such as DLLs using an algorithm that can be influenced by an attacker. In the case of UltraVNC 1.6.4.0, the Windows Service component loads cryptbase.dll without properly validating or specifying the full path to the legitimate DLL.
When a Windows application loads a DLL without specifying an absolute path, Windows follows a predetermined search order that typically includes the application's current directory before system directories. An attacker who can place a malicious DLL in a location that precedes the legitimate DLL in this search path can achieve code execution within the context of the vulnerable application.
The attack requires local access to the target system, and the complexity is high because the attacker must have write access to a directory in the DLL search path and must time the attack to coincide with the service loading the library. The vendor was contacted early about this disclosure but did not respond in any way.
Root Cause
The root cause of this vulnerability is the failure to use absolute paths when loading the cryptbase.dll library within the UltraVNC Windows Service. This allows the Windows DLL search order to be exploited, enabling an attacker to inject a malicious DLL that will be loaded instead of the legitimate system library.
Attack Vector
The attack vector is local, requiring the attacker to already have some level of access to the target system. The attacker must:
- Identify a writable location in the DLL search path used by the UltraVNC service
- Place a malicious cryptbase.dll in that location
- Wait for or trigger the UltraVNC service to load the DLL
The vulnerability manifests when the UltraVNC Windows Service attempts to load cryptbase.dll from an uncontrolled search path. An attacker with local access and write permissions to a directory in the search path can place a malicious DLL that will be loaded by the service. For technical details, see the VulDB entry and the researcher's documentation.
Detection Methods for CVE-2026-3787
Indicators of Compromise
- Presence of unexpected cryptbase.dll files in the UltraVNC installation directory or application working directories
- Unusual DLL files appearing in directories within the system PATH that are writable by non-administrative users
- UltraVNC service exhibiting unexpected behavior or network connections after restart
Detection Strategies
- Monitor for DLL creation events in the UltraVNC installation directory and related paths using file integrity monitoring tools
- Implement application whitelisting to detect unauthorized DLLs being loaded by the UltraVNC service
- Use Sysmon or similar tools to log DLL loading events (Event ID 7) for the UltraVNC service process
Monitoring Recommendations
- Enable Windows Event Logging for service start/stop events and correlate with DLL loading activities
- Deploy endpoint detection and response (EDR) solutions like SentinelOne to detect DLL hijacking attempts in real-time
- Regularly audit directory permissions on paths included in the system DLL search order
How to Mitigate CVE-2026-3787
Immediate Actions Required
- Restrict write permissions on the UltraVNC installation directory and any directories in the service's DLL search path
- Ensure only administrators have write access to directories that appear early in the Windows DLL search order
- Consider running the UltraVNC service with minimal required privileges to limit potential impact
Patch Information
No official patch is currently available from the vendor. The vendor was contacted early about this disclosure but did not respond. Organizations should monitor for future security updates from UltraVNC and consider the workarounds below. For additional technical details, refer to the VulDB advisory.
Workarounds
- Apply strict directory permissions to prevent unauthorized users from placing DLLs in the search path
- Consider using application control policies (AppLocker or Windows Defender Application Control) to restrict which DLLs can be loaded
- Evaluate alternative remote access solutions if the risk is unacceptable for your environment
# Example: Restrict permissions on UltraVNC installation directory
icacls "C:\Program Files\uvnc bvba\UltraVNC" /inheritance:r
icacls "C:\Program Files\uvnc bvba\UltraVNC" /grant:r "SYSTEM:(OI)(CI)F"
icacls "C:\Program Files\uvnc bvba\UltraVNC" /grant:r "Administrators:(OI)(CI)F"
icacls "C:\Program Files\uvnc bvba\UltraVNC" /grant:r "Users:(OI)(CI)RX"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
