Insecure Cryptography Vulnerability in UltraVNC by UltraVNC
CVE-2026-7830

7.4HIGH

Key Information:

Vendor

Uvnc

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-7830?

UltraVNC versions up to 1.8.2.2 contain a significant cryptographic vulnerability in the MS-Logon II authentication scheme. The Diffie-Hellman key exchange utilized in this scheme is performed with parameters limited to a 64-bit integer, allowing potential exploitation via Pollard's rho algorithm, which can break a 64-bit DH key in less than a second on modern hardware. Furthermore, the method for generating the private exponent relies on an insecure random number generation process tied to system time, making it vulnerable to passive observers. An attacker with network access could eavesdrop on the MS-Logon II handshake, potentially leading to full credential disclosure as they could decrypt sensitive usernames and passwords.

Affected Version(s)

UltraVNC 0 <= 1.8.2.2

References

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Arjun Basnet, Securin (arjun.basnet@securin.io)
.