PatchSiren cyber security CVE debrief
CVE-2026-7830 Ultravnc CVE debrief
CVE-2026-7830 is a HIGH severity vulnerability in UltraVNC's MS-Logon II authentication scheme. The vulnerability uses inadequate cryptography, allowing a network attacker to derive the shared DH key and decrypt the encapsulated username and password, resulting in full credential disclosure. This affects legacy MS-Logon II connections; MS-Logon III (X25519 + AES-256-GCM) is unaffected. Users of UltraVNC, especially those using legacy MS-Logon II connections, should be aware of this vulnerability and take necessary actions to mitigate the risk.
- Vendor
- Ultravnc
- Product
- UltraVNC
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-01
- Original CVE updated
- 2026-07-09
- Advisory published
- 2026-07-01
- Advisory updated
- 2026-07-09
Who should care
Users of UltraVNC, especially those using legacy MS-Logon II connections, should be aware of this vulnerability and take necessary actions to mitigate the risk. This includes updating UltraVNC to a version that fixes this vulnerability, using MS-Logon III (X25519 + AES-256-GCM) for connections, monitoring for suspicious activity on UltraVNC connections, and considering alternative remote desktop solutions.
Technical summary
UltraVNC through 1.8.2.2 uses inadequate cryptography in the MS-Logon II authentication scheme. The Diffie-Hellman key exchange is performed with parameters that fit in an unsigned 64-bit integer, making it vulnerable to Pollard's rho algorithm. Additionally, the private exponent is generated by a weak random number generator, allowing a passive observer to recover the private exponent in under a minute.
Defensive priority
High priority should be given to updating UltraVNC to a version that fixes this vulnerability, especially for users of legacy MS-Logon II connections.
Recommended defensive actions
- Update UltraVNC to a version that fixes this vulnerability
- Use MS-Logon III (X25519 + AES-256-GCM) for connections
- Monitor for suspicious activity on UltraVNC connections
- Consider using alternative remote desktop solutions
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-01T05:16:24.210Z and was last modified on 2026-07-09T06:16:21.760Z. The NVD entry is currently Modified. This vulnerability affects UltraVNC through 1.8.2.2, specifically in the MS-Logon II authentication scheme. Evidence of exploitation is not publicly available, but defenders should verify UltraVNC configurations and monitor for suspicious activity.
Official resources
-
CVE-2026-7830 CVE record
CVE.org
-
CVE-2026-7830 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
33c584b5-0579-4c06-b2a0-8d8329fcab9c - Product
-
Mitigation or vendor reference
33c584b5-0579-4c06-b2a0-8d8329fcab9c - Product, Release Notes
-
Source reference
33c584b5-0579-4c06-b2a0-8d8329fcab9c
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-01T05:16:24.210Z and has not been modified since then.