Default Password Vulnerability in UltraVNC Repeater
CVE-2026-7839

9.1CRITICAL

Key Information:

Vendor

Uvnc

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-7839?

The UltraVNC Repeater before version 1.8.2.2 contains a vulnerability where the HTTP administration server is initialized with a hardcoded default password, 'adminadmi2'. This occurs when the settings file is absent during the first run. Without proper authentication mechanisms like rate-limiting or lockout, any remote attacker with access to the repeater's HTTP port can exploit this weakness. They can easily authenticate as an administrator, gaining full control over the repeater's configuration settings, including permission rules and session visibility.

Affected Version(s)

UltraVNC 0 <= 1.8.2.2

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Arjun Basnet, Securin (arjun.basnet@securin.io)
.