Horizon Alert
Summary of the vulnerability and why it matters
This advisory concerns a vulnerability in UltraVNC's repeater service, specifically how its administrative interface is initialized with a default password. This could allow unauthorized remote access to the repeater's configuration settings, including access controls and session visibility, on unpatched or newly deployed instances.
- Weak default password on an administrative tool.
- Grants full control over configuration.
- Confirm relevance and check for exposure.
Attack Path
How an attacker could exploit the issue
Attackers can target the UltraVNC repeater's HTTP administration server by exploiting a hardcoded default password. An attacker who can access the repeater's HTTP port can log in as an administrator using the known default credential on new or unconfigured installations. This access allows them to fully control the repeater's settings, including its access rules and visibility of connections.
- Attacker can reach HTTP port.
- Hardcoded password allows admin login.
- Full control over repeater configuration.
Live Threat
Current exploitation, exposure, and threat context
When an UltraVNC repeater is first deployed without a settings file, its HTTP administration server is initialized with a hardcoded default password. This allows any unauthenticated remote attacker who can access the repeater's HTTP port to log in with full administrative control over its configuration and view active sessions.
- Repeater configuration and session visibility.
- Unauthenticated network access to the HTTP port.
- Full administrative control over the repeater.
Operational Fix
Recommended remediation, mitigation, and detection steps
The UltraVNC repeater's hardcoded default password presents a critical risk, allowing unauthenticated remote attackers to gain full administrative control. Ownership likely falls to the teams managing the remote access infrastructure or specific application deployments. The first practical step is to identify all UltraVNC repeater instances, assess their network exposure and business criticality, and confirm the accountable owner for remediation planning.
- Infrastructure or application owners should address.
- Verify network exposure and instance reachability.
- Plan remediation based on identified risk.