Critical Vulnerabilities in UltraVNC Repeater Component
The critical vulnerabilities could allow a remote attacker either to obtain administrative control of the service through a hard-coded credential (CVE-2026-7839) or achieve unauthenticated arbitrary code execution (CVE-2026-7840)
Summary
The critical vulnerabilities could allow a remote attacker either to obtain administrative control of the service through a hard-coded credential (CVE-2026-7839) or achieve unauthenticated arbitrary code execution (CVE-2026-7840)
Affected platforms
The following platforms are known to be affected:
Threat details
At the time of writing, there is no confirmed evidence of active exploitation for these vulnerabilities. However, both issues are remotely exploitable without authentication and could present significant risk to vulnerable devices.
The affected component is the UltraVNC Repeater, which is designed to broker remote connections between UltraVNC clients and servers. Organisations using UltraVNC for remote support, administration, supplier access, or operational support should determine whether vulnerable repeater instances are deployed and whether they are reachable from untrusted networks.
Introduction
Two critical vulnerabilities affecting UltraVNC Repeater were published.
-
CVE-2026-7839 - "Use of Hard-coded Credentials" vulnerability - CVSSv3 score: 9.1
Successful exploitation could allow a remote, unauthenticated attacker with access to the repeater HTTP port (default TCP 80) to authenticate using the known default credential and gain administrative control of the repeater. -
CVE-2026-7840 - "Out-of-bounds Write" vulnerability - CVSSv3 score: 9.8
Successful exploitation could allow a remote, unauthenticated attacker to corrupt memory and execute arbitrary code on the host running the repeater.
Organisations operating internet-facing or operationally important UltraVNC Repeater instances should prioritise identification and remediation activities due to the combination of network accessibility, low attack complexity, and potentially significant organisational impact.
Remediation advice
Affected organisations are encouraged to review the Github Advisory Database for CVE-2026-7839 and the Github Advisory Database for CVE-2026-7840. Updates to 1.8.2.4 are available on the UltraVNC download page and should be applied as soon as possible.
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 2 July 2026 3:18 pm