Top/Articles/UltraVNC: 3 Critical Flaws (CVE-2026-7840) β€” Repeater Takeover With No Password, Update to 1.8.2.4
ultravnc-cve-cover-en

UltraVNC: 3 Critical Flaws (CVE-2026-7840) β€” Repeater Takeover With No Password, Update to 1.8.2.4

UltraVNC has three critical flaws. The repeater can be hijacked with no password (CVE-2026-7840, CVSS 9.8); a viewer bug lets a rogue server seize your PC. Update to 1.8.2.4.

NewsPublished July 1, 2026 Updated today
Table of contents
Key takeaways

UltraVNC has three critical flaws. The repeater can be hijacked with no password (CVE-2026-7840, CVSS 9.8); a viewer bug lets a rogue server seize your PC. Update to 1.8.2.4.

Three serious vulnerabilities have been found in "UltraVNC," free software that lets you operate a distant PC's screen directly from your own machine. The most dangerous one lets the "repeater" β€” a server that relays multiple connections at once β€” be taken over with no password at all. The identifiers are CVE-2026-7840 and two others, and the most severe reaches CVSS 9.8 out of 10. All three affect versions up to 1.8.2.2, and the developer has fixed them in the latest 1.8.2.4.

UltraVNC has long been used at help desks and in maintenance work to "operate a distant PC screen and all." These three are different kinds of holes: takeover of the connection-relaying server, unauthorized login via a reused default password, and a flaw in the viewing-side software that is hijacked by a booby-trapped server. Information and versions are published on the official UltraVNC site and the development repository on GitHub.

CVETarget and issueSeverity
CVE-2026-7840Relay server (repeater) admin console
Taken over with no password via a crafted request
9.8 (maximum-class)
CVE-2026-7839Relay server admin console
Admin login via a reused default password
9.1
CVE-2026-7838Viewing-side software (viewer)
Hijacked when connecting to a booby-trapped server
8.8

*Severity (CVSS) rates danger out of 10. As of now, these three are not listed in the U.S. CISA catalog of exploited vulnerabilities (KEV), and no exploitation has been reported. But once a fix is public, attackers can more easily analyze the flaw, so updating early is safer.

Who is at risk, and what is the damage

This hole is hunted by attackers who mechanically scan for internet-exposed remote-operation relay servers and use them as a foothold for intrusion. UltraVNC repeaters are often placed facing the internet so people can connect from outside or another site, and their admin console listens by default on a familiar web port (port 80). That makes them easy to find and easy to target.

The attacker can take over the relay server by sending a single crafted request, without entering any password. With a separate flaw, they can also walk straight into the admin console using the shared default password "adminadmi2" that many deployments leave unchanged. The repeater is the hub that bundles and relays multiple remote connections, so once it is seized, every connection passing through it can be spied on or used as a stepping stone to other PCs.

The third flaw works in the opposite direction. The attacker sets up a booby-trapped VNC server, and the moment a victim connects to it with the viewing-side software, the victim's own PC is taken over. An attacker positioned to intercept the traffic (on the same office network or public Wi-Fi, for instance) can also inject into a legitimate exchange to trigger it. Not only the side "providing" remote support but also the side "receiving" it and "reaching out to connect" is put at risk β€” which is why all three should be handled together. A similar pitfall has appeared before: another screen-sharing library had a flaw where merely connecting to a malicious server could take over the PC.

What UltraVNC is, and whether you are affected

UltraVNC is free remote-operation software for Windows. It mirrors the other PC's screen to your hands so you can drive it with your mouse and keyboard or send files. It falls into the same "operate someone's PC remotely" category as TeamViewer and AnyDesk, and has long been used by in-house help desks and for maintenance. It is made of three parts: a "server" that runs on the operated side, a "viewer" that runs on the operating side, and a "repeater" that sits between them and relays the connection.

The key point is that the three are not all the same part's problem. Whether you are affected depends on which part you run and how. Check your own situation against the table below.

PartVulnerabilityRisky usage
Relay server
(repeater)
CVE-2026-7840
CVE-2026-7839
Admin console exposed to the internet
Left on the default password
Viewing-side software
(viewer)
CVE-2026-7838Connecting to an untrusted party's server
Exchanging unencrypted traffic in the open

If you use it personally without setting up a repeater, you are not the direct target of the two relay-server flaws (CVE-2026-7840 and CVE-2026-7839). Even so, if you use the viewing-side software for remote connections, the third flaw (CVE-2026-7838) applies. You can check your version on UltraVNC's screen; anything up to 1.8.2.2 is subject to the update. Rather than agonizing over the conditions, the sure move is to upgrade to the latest version first.

Inside the three vulnerabilities

CVE-2026-7840: the relay server is taken over with no password (severity 9.8)

The repeater comes with a web admin console (an HTTP admin server, TCP port 80 by default) for viewing and changing settings. This server copies the address part (URI) of an incoming request into a fixed 1000-byte box prepared in advance. But there was no length check before copying. Since the receiving side accepts addresses of nearly 150,000 bytes, an attacker sending an address longer than 1500 bytes overflows the box and overwrites the neighboring memory. This is a memory-corruption bug called an out-of-bounds write (CWE-787), and when exploited well it runs the attacker's chosen program on the computer the repeater runs on. Because this processing runs before the login check, no password is needed at all. It is the most dangerous of the three.

CVE-2026-7839: admin login via a reused default password (severity 9.1)

The same repeater admin server has another problem. On first startup, when the settings file (settings2.txt) does not yet exist, the admin password is initialized to "adminadmi2," a product-wide hard-coded value (classified as use of hard-coded credentials, CWE-798). If it is run with this default unchanged, any attacker who knows the value can log in as administrator. On top of that, there is no attempt limit or temporary account lock no matter how many times the password is entered wrong, so it was easy to break even by brute force. Once inside as admin, the attacker gains the access-control rules β€” which connections are allowed β€” and even the list of sessions in progress.

CVE-2026-7838: the side connecting to a booby-trapped server is taken over (severity 8.8)

The third is a flaw in the viewing-side software (viewer). A number used in length calculations for the screen data can overflow (an integer overflow, CWE-190), which then causes memory corruption (a heap buffer overflow). It triggers when a victim connects with the viewer to a VNC server the attacker has booby-trapped. Alternatively, an attacker positioned to intercept and tamper with the exchange with a legitimate server (a man-in-the-middle) can craft the traffic to trigger it. When it succeeds, the attacker's program runs with the privileges of the user running the viewer. This attack requires the user to connect to the server, but reaching out to an unfamiliar party's server during remote support is not unusual.

Timeline and fix status

WhenEvent
Up to 1.8.2.2Versions affected by all three
June 20261.8.2.3 and 1.8.2.4 released
note "repeater: security fixes"
July 1, 2026The three CVE IDs published in public databases

The developer's version change list states that "repeater: security fixes" were made in 1.8.2.3 and 1.8.2.4, both released in June 2026. The current latest version is 1.8.2.4; updating to it resolves all three.

What to do now

The top priority is updating to the latest 1.8.2.4. Whether you use UltraVNC's "server," "viewer," or "repeater," upgrading to the latest version closes all three. If you run the relay server (repeater) as a standalone install, do not forget to swap that repeater to the latest fixed build too.

If you cannot update immediately, three interim measures help. First, do not expose the repeater's admin console (default port 80) directly to the internet; restrict the source so it is reachable only from inside your network or a VPN. Second, always change the default password "adminadmi2" to a strong, different one; that alone blocks direct abuse of CVE-2026-7839. Third, do not connect to untrusted VNC servers; the viewer flaw (CVE-2026-7838) is greatly reduced by not connecting to suspicious servers. None of these are a root fix, so ultimately finish the update.

Summary

The three flaws found in UltraVNC all affect versions up to 1.8.2.2 and are fixed in the latest 1.8.2.4. The connection-relaying repeater in particular carries severe holes β€” taken over with no password (CVE-2026-7840) and walked into on the default password (CVE-2026-7839) β€” so if you expose it to the internet, act especially fast. The viewer flaw (CVE-2026-7838) targets the user who connects to a booby-trapped server.

No real-world exploitation has been reported so far, but now that the fixes are all out is exactly when attackers can most easily analyze the holes. Since remote-operation tools spread damage broadly once breached, updating to the latest version and revisiting your exposure and default passwords early is the safe course.

FAQ

I use UltraVNC β€” am I necessarily at risk?

If you use version 1.8.2.2 or earlier, one of the vulnerabilities applies. It is especially high-risk if you expose the relay server (repeater) to the internet, since it can be taken over with no password. Even personal use to just view a screen without a repeater is subject to the viewer flaw (CVE-2026-7838). Update to the latest 1.8.2.4.

Which version should I upgrade to?

Update to the latest 1.8.2.4. According to the developer's version change list, repeater security fixes were made in 1.8.2.3 and 1.8.2.4, released in June 2026. Versions up to 1.8.2.2 are affected.

I can't update right away. Any stopgaps?

Do not expose the repeater's admin console (default port 80) directly to the internet; restrict access so it is only reachable from inside your network or a VPN. Also change the default password "adminadmi2" to a strong one, and do not connect to untrusted VNC servers. These are temporary, so ultimately finish updating to the latest version.

Is it already being exploited?

As of July 1, 2026, there are no reports of real-world attacks and no listing in the U.S. CISA catalog of exploited vulnerabilities (KEV). However, once fixes are public, attackers can more easily reconstruct the details from the differences. Updating before exploitation spreads is the safe move.

Update history

  • β–ΈJuly 1, 2026: First published (created following the publication of the three CVE IDs and the developer's version change list).

References

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django