PatchSiren cyber security CVE debrief
CVE-2026-7839 uvnc CVE debrief
CVE-2026-7839 is a critical vulnerability in UltraVNC repeater versions up to 1.8.2.2. The repeater initializes its HTTP administration server with a hardcoded default password, 'adminadmi2', which is written to settings2.txt on first run. This allows remote attackers who can reach the repeater's HTTP port (default TCP 80) to authenticate as administrator without rate-limiting or lockout, gaining full control over the repeater configuration, including allow/deny rules and session visibility.
- Vendor
- uvnc
- Product
- UltraVNC
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-01
- Original CVE updated
- 2026-07-09
- Advisory published
- 2026-07-01
- Advisory updated
- 2026-07-09
Who should care
System administrators and security teams responsible for UltraVNC repeater installations, especially those exposed to the internet or untrusted networks, should prioritize patching this vulnerability. The hardcoded default password poses a significant risk of unauthorized access and potential lateral movement within the network.
Technical summary
The UltraVNC repeater through version 1.8.2.2 has a critical vulnerability (CVE-2026-7839) due to a hardcoded default admin password. In the settings.c file at line 197, when settings2.txt is absent on the first run, the repeater writes the literal string 'adminadmi2' as the admin password via strcpy_s(saved_password, 64, 'adminadmi2'). The HTTP Basic-auth handler, wi_decode_auth(), checks this password without implementing rate-limiting or lockout mechanisms. This allows any remote attacker who can reach the repeater's HTTP port (default TCP 80) to authenticate as administrator on a fresh or unmodified installation. Successful exploitation grants full control of the repeater configuration, including allow/deny rules and session visibility.
Defensive priority
High
Recommended defensive actions
- Immediately upgrade UltraVNC repeater to a version beyond 1.8.2.2
- Change default admin passwords for existing installations
- Restrict access to the repeater's HTTP port (TCP 80) to only necessary personnel
- Implement additional authentication mechanisms, such as multi-factor authentication
- Regularly review and update repeater configurations and passwords
Evidence notes
The CVE record was published on 2026-07-01T05:16:24.680Z and was last modified on 2026-07-09T06:16:22.213Z. The NVD entry is currently Modified. The vulnerability has a CVSS score of 9.1 and is classified as CRITICAL. The CWE associated with this vulnerability is CWE-798.
Official resources
-
CVE-2026-7839 CVE record
CVE.org
-
CVE-2026-7839 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
33c584b5-0579-4c06-b2a0-8d8329fcab9c - Product
-
Mitigation or vendor reference
33c584b5-0579-4c06-b2a0-8d8329fcab9c - Product, Release Notes
-
Source reference
33c584b5-0579-4c06-b2a0-8d8329fcab9c
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-01T05:16:24.680Z and has not been modified since then. The NVD entry is currently Modified.