Skip to main content
CVE Vulnerability Database

CVE-2026-7839: UltraVNC Auth Bypass Vulnerability

CVE-2026-7839 is an authentication bypass vulnerability in UltraVNC repeater through 1.8.2.2 caused by a hardcoded default password. Attackers can gain full administrative control. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-7839 Overview

CVE-2026-7839 is a hardcoded credentials vulnerability [CWE-798] in UltraVNC repeater through version 1.8.2.2. On first run, when settings2.txt is absent, the repeater writes the literal string adminadmi2 as the administrator password to its HTTP administration server. Any remote attacker who can reach the repeater HTTP port (default TCP 80) can authenticate as administrator using this well-known default credential. Successful authentication grants full control of the repeater configuration, including allow/deny rules and session visibility.

Critical Impact

Remote, unauthenticated attackers can gain administrative control of unmodified UltraVNC repeater installations using a hardcoded default password.

Affected Products

  • UltraVNC repeater versions through 1.8.2.2
  • uvnc:ultravnc component as identified in CPE cpe:2.3:a:uvnc:ultravnc:*:*:*:*:*:*:*:*
  • Fresh or unmodified installations where settings2.txt has not been customized

Discovery Timeline

  • 2026-07-01 - CVE-2026-7839 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-7839

Vulnerability Analysis

The UltraVNC repeater ships an HTTP administration server that authenticates administrators using HTTP Basic authentication. On first startup, the repeater checks for settings2.txt. When the file is absent, the initialization code in repeater/webgui/settings.c:197 writes the literal string adminadmi2 as the saved administrator password via strcpy_s(saved_password, 64, "adminadmi2").

The Basic-auth handler wi_decode_auth() validates submitted credentials against this stored password without rate-limiting, lockout, or forced password change on first login. Attackers who reach the repeater HTTP port authenticate as administrator using the known default credential, then modify allow/deny rules, view active sessions, and pivot into VNC traffic relayed through the repeater.

Root Cause

The root cause is the embedded default credential adminadmi2 written during initialization. The application does not require an administrator to set a unique password on first run and does not warn about the default state. The credential is discoverable through the public source in the UltraVNC GitHub repository, making exploitation trivial once network reachability is established.

Attack Vector

Exploitation requires network access to the repeater's HTTP administration port (default TCP 80). The attacker sends an HTTP request with a Basic authorization header containing the base64-encoded pair admin:adminadmi2. The server accepts the credential and issues an authenticated session, exposing configuration endpoints. No user interaction and no prior privileges are required.

Refer to the UltraVNC official website and UltraVNC GitHub repository for source and release details.

Detection Methods for CVE-2026-7839

Indicators of Compromise

  • HTTP requests to the repeater administration port containing the Basic auth header value Basic YWRtaW46YWRtaW5hZG1pMg== (base64 of admin:adminadmi2).
  • Unexpected modifications to repeater allow/deny rules or session routing configuration.
  • Successful administrative logins from external or non-management IP addresses.

Detection Strategies

  • Inspect web proxy and network flow logs for authenticated sessions to the repeater HTTP port from untrusted networks.
  • Compare the current settings2.txt password hash or value against the known default string adminadmi2 to identify unremediated installations.
  • Alert on configuration file writes to settings2.txt outside of scheduled maintenance windows.

Monitoring Recommendations

  • Monitor TCP 80 (or the configured repeater HTTP port) for external reachability and unexpected inbound connections.
  • Track authentication events on the repeater administration interface and flag repeated access attempts.
  • Capture and review changes to repeater routing rules and session visibility settings.

How to Mitigate CVE-2026-7839

Immediate Actions Required

  • Change the administrator password on every UltraVNC repeater installation immediately, replacing the default adminadmi2 value in settings2.txt.
  • Restrict network access to the repeater HTTP administration port to trusted management networks using firewall rules or ACLs.
  • Audit existing repeater configurations for unauthorized allow/deny rule changes since deployment.

Patch Information

At the time of publication, no vendor advisory or fixed release has been listed in the enriched data. Track the UltraVNC GitHub repository and the UltraVNC official website for updated releases beyond 1.8.2.2 that remove the hardcoded default and require administrator password configuration on first run.

Workarounds

  • Block inbound access to the repeater HTTP port from untrusted networks at the perimeter and host firewall.
  • Place the repeater behind a reverse proxy that enforces additional authentication and rate-limiting before requests reach wi_decode_auth().
  • Disable the HTTP administration interface if it is not required for operational management.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.