HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-7839Published Modified CNA securin

CVE-2026-7839: UltraVNC repeater ships hardcoded default admin password allowing unauthenticated admin access

UltraVNC repeater through 1.8.2.2 initializes the HTTP administration server with a hardcoded default password. In repeater/webgui/settings.c:197, when settings2.txt is absent on first run the repeater writes the literal string "adminadmi2" as the admin password via strcpy_s(saved_password, 64, "adminadmi2"). The HTTP Basic-auth handler wi_decode_auth() checks this password without rate-limiting or lockout. Any remote attacker who can reach the repeater HTTP port (default TCP 80) can authenticate as administrator using the well-known default credential on a fresh or unmodified installation, gaining full control of the repeater configuration including allow/deny rules and session visibility.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A hardcoded default admin password vulnerability exists in UltraVNC repeater through version 1.8.2.2. The repeater writes the literal string "adminadmi2" as the HTTP administration password on first run, with no rate-limiting or lockout on the Basic-auth handler, meaning any attacker who can reach TCP port 80 needs no credentials beyond this publicly known default. Successful exploitation gives the attacker full administrative control over repeater configuration, including access control rules and active session visibility. No fix version has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-7839 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 9.1 (Critical) and applies per-environment compliance policy weighting to prioritize routing; alerts are directed to the appropriate team inbox within each customer organization based on policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks this advisory each ingest cycle and will make a patched-image rebuild available automatically the moment the upstream fix is released. In the interim, compensating controls such as network-policy isolation to restrict access to the repeater HTTP port are surfaced as recommended actions inside the platform.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the repeater's HTTP administration port (default TCP 80) over the network; any system with network connectivity to that port is exposed.

  • AuthenticationNot required

    No credential discovery is needed because the hardcoded default password "adminadmi2" is publicly documented in the CVE record, making authentication effectively absent on unmodified installations.

  • Victim interactionNot required

    No victim action is required; the attacker sends HTTP requests directly to the repeater without any user involvement.

  • Attack complexityDetail

    Exploit complexity is low; the attack requires no special conditions, race windows, or environmental factors beyond network access to the HTTP port.

Blast Radius

  • Attacker reads the full repeater configuration, including allow/deny rules and active session metadata, exposing which VNC clients and servers are connected and their addressing.
  • Attacker modifies access control rules to permit or block arbitrary VNC sessions, enabling unauthorized remote desktop access to systems relaying through the repeater.
  • Attacker reconfigures the repeater to redirect or intercept VNC sessions, positioning themselves for on-path inspection of VNC traffic.

How HarborGuard Handles This

Available on HarborGuard: images containing UltraVNC repeater at or below version 1.8.2.2 are flagged as Critical-severity findings the moment the CVE is ingested. Because no upstream fix has been published, HarborGuard monitors the advisory each ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression-test run and a PR opened against affected workloads as soon as an upstream fix version is released. While no patch is available, HarborGuard surfaces compensating-control recommendations including network-policy rules to restrict access to the repeater HTTP administration port to trusted internal ranges only, egress filtering to limit lateral reach from compromised repeater instances, and feature-flag gating where the HTTP admin interface can be disabled or firewalled at the container or pod level. Customers can also configure compliance policies to block promotion of images containing this CVE through CI/CD pipelines until remediation is confirmed.

See how HarborGuard automates this
Affected packages
  • uvnc / UltraVNC
    ≤ 1.8.2.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N