PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-7830 Ultravnc CVE debrief

CVE-2026-7830 is a HIGH severity vulnerability in UltraVNC's MS-Logon II authentication scheme. The vulnerability uses inadequate cryptography, allowing a network attacker to derive the shared DH key and decrypt the encapsulated username and password, resulting in full credential disclosure. This affects legacy MS-Logon II connections; MS-Logon III (X25519 + AES-256-GCM) is unaffected. Users of UltraVNC, especially those using legacy MS-Logon II connections, should be aware of this vulnerability and take necessary actions to mitigate the risk.

Vendor
Ultravnc
Product
UltraVNC
CVSS
HIGH 7.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-01
Original CVE updated
2026-07-09
Advisory published
2026-07-01
Advisory updated
2026-07-09

Who should care

Users of UltraVNC, especially those using legacy MS-Logon II connections, should be aware of this vulnerability and take necessary actions to mitigate the risk. This includes updating UltraVNC to a version that fixes this vulnerability, using MS-Logon III (X25519 + AES-256-GCM) for connections, monitoring for suspicious activity on UltraVNC connections, and considering alternative remote desktop solutions.

Technical summary

UltraVNC through 1.8.2.2 uses inadequate cryptography in the MS-Logon II authentication scheme. The Diffie-Hellman key exchange is performed with parameters that fit in an unsigned 64-bit integer, making it vulnerable to Pollard's rho algorithm. Additionally, the private exponent is generated by a weak random number generator, allowing a passive observer to recover the private exponent in under a minute.

Defensive priority

High priority should be given to updating UltraVNC to a version that fixes this vulnerability, especially for users of legacy MS-Logon II connections.

Recommended defensive actions

  • Update UltraVNC to a version that fixes this vulnerability
  • Use MS-Logon III (X25519 + AES-256-GCM) for connections
  • Monitor for suspicious activity on UltraVNC connections
  • Consider using alternative remote desktop solutions
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-01T05:16:24.210Z and was last modified on 2026-07-09T06:16:21.760Z. The NVD entry is currently Modified. This vulnerability affects UltraVNC through 1.8.2.2, specifically in the MS-Logon II authentication scheme. Evidence of exploitation is not publicly available, but defenders should verify UltraVNC configurations and monitor for suspicious activity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-01T05:16:24.210Z and has not been modified since then.