CVE-2026-7839
Received Received - Intake

Hardcoded Admin Password in UltraVNC Repeater

Vulnerability report for CVE-2026-7839, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: securin

Description

UltraVNC repeater through 1.8.2.2 initializes the HTTP administration server with a hardcoded default password. In repeater/webgui/settings.c:197, when settings2.txt is absent on first run the repeater writes the literal string "adminadmi2" as the admin password via strcpy_s(saved_password, 64, "adminadmi2"). The HTTP Basic-auth handler wi_decode_auth() checks this password without rate-limiting or lockout. Any remote attacker who can reach the repeater HTTP port (default TCP 80) can authenticate as administrator using the well-known default credential on a fresh or unmodified installation, gaining full control of the repeater configuration including allow/deny rules and session visibility.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ultravnc repeater 1.8.2.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in UltraVNC repeater versions up to 1.8.2.2, where the HTTP administration server is initialized with a hardcoded default password. Specifically, if the settings file (settings2.txt) is missing on the first run, the repeater sets the admin password to the literal string "adminadmi2". The HTTP Basic-auth handler verifies this password without any rate-limiting or lockout mechanisms. As a result, any remote attacker who can access the repeater's HTTP port (default TCP 80) can authenticate as an administrator using this known default password.

This allows the attacker to gain full control over the repeater configuration, including the ability to modify allow/deny rules and view session information.

Impact Analysis

The vulnerability can have a severe impact as it allows an unauthenticated remote attacker to gain administrative access to the UltraVNC repeater. This means the attacker can fully control the repeater's configuration, potentially altering access controls and monitoring sessions.

Such unauthorized access can lead to unauthorized data exposure, manipulation of network traffic, and disruption of services relying on the repeater.

Detection Guidance

This vulnerability can be detected by checking if the UltraVNC repeater HTTP administration server is running with the default hardcoded password "adminadmi2" on the HTTP port (default TCP 80). Since the repeater uses HTTP Basic authentication without rate-limiting or lockout, an attacker can authenticate remotely using this default credential.

To detect this on your system or network, you can attempt to authenticate to the UltraVNC repeater HTTP administration interface using the default credentials.

  • Use a command-line HTTP client like curl to test authentication: curl -v --user admin:adminadmi2 http://<repeater-ip>/
  • Scan your network for hosts with TCP port 80 open that respond as UltraVNC repeater HTTP servers.
Mitigation Strategies

Immediate mitigation steps include changing the default hardcoded password on the UltraVNC repeater HTTP administration server to a strong, unique password as soon as possible.

Additionally, restrict access to the repeater HTTP port (default TCP 80) by using firewall rules or network segmentation to limit exposure to trusted hosts only.

Ensure that the settings2.txt file is created with a secure password to prevent the repeater from using the default password on startup.

Compliance Impact

This vulnerability allows any remote attacker to gain full administrative control over the UltraVNC repeater configuration by exploiting a hardcoded default password without any rate-limiting or lockout mechanisms.

Such unauthorized access could lead to exposure or manipulation of sensitive data and configurations, potentially violating data protection requirements under standards like GDPR and HIPAA.

Specifically, the lack of proper authentication controls and the possibility of unauthorized administrative access may result in non-compliance with security controls mandated by these regulations, which require protection of personal and health information against unauthorized access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7839. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart