PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-7839 uvnc CVE debrief

CVE-2026-7839 is a critical vulnerability in UltraVNC repeater versions up to 1.8.2.2. The repeater initializes its HTTP administration server with a hardcoded default password, 'adminadmi2', which is written to settings2.txt on first run. This allows remote attackers who can reach the repeater's HTTP port (default TCP 80) to authenticate as administrator without rate-limiting or lockout, gaining full control over the repeater configuration, including allow/deny rules and session visibility.

Vendor
uvnc
Product
UltraVNC
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-01
Original CVE updated
2026-07-09
Advisory published
2026-07-01
Advisory updated
2026-07-09

Who should care

System administrators and security teams responsible for UltraVNC repeater installations, especially those exposed to the internet or untrusted networks, should prioritize patching this vulnerability. The hardcoded default password poses a significant risk of unauthorized access and potential lateral movement within the network.

Technical summary

The UltraVNC repeater through version 1.8.2.2 has a critical vulnerability (CVE-2026-7839) due to a hardcoded default admin password. In the settings.c file at line 197, when settings2.txt is absent on the first run, the repeater writes the literal string 'adminadmi2' as the admin password via strcpy_s(saved_password, 64, 'adminadmi2'). The HTTP Basic-auth handler, wi_decode_auth(), checks this password without implementing rate-limiting or lockout mechanisms. This allows any remote attacker who can reach the repeater's HTTP port (default TCP 80) to authenticate as administrator on a fresh or unmodified installation. Successful exploitation grants full control of the repeater configuration, including allow/deny rules and session visibility.

Defensive priority

High

Recommended defensive actions

  • Immediately upgrade UltraVNC repeater to a version beyond 1.8.2.2
  • Change default admin passwords for existing installations
  • Restrict access to the repeater's HTTP port (TCP 80) to only necessary personnel
  • Implement additional authentication mechanisms, such as multi-factor authentication
  • Regularly review and update repeater configurations and passwords

Evidence notes

The CVE record was published on 2026-07-01T05:16:24.680Z and was last modified on 2026-07-09T06:16:22.213Z. The NVD entry is currently Modified. The vulnerability has a CVSS score of 9.1 and is classified as CRITICAL. The CWE associated with this vulnerability is CWE-798.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-01T05:16:24.680Z and has not been modified since then. The NVD entry is currently Modified.