External risk intelligence

UltraVNC Repeater Hardcoded Password Allows Remote Configuration Takeover

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-7839

The vulnerability affects an HTTP administration interface designed to be network-accessible for remote management purposes. As a repeater service intended to facilitate remote connections, its management interface is commonly deployed in network-reachable configurations where it can be exposed to remote access.

Uvnc Ultravnc

1.8.2.2 and earlier

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in UltraVNC's repeater service, specifically how its administrative interface is initialized with a default password. This could allow unauthorized remote access to the repeater's configuration settings, including access controls and session visibility, on unpatched or newly deployed instances.

  • Weak default password on an administrative tool.
  • Grants full control over configuration.
  • Confirm relevance and check for exposure.

Attack Path

How an attacker could exploit the issue

Attackers can target the UltraVNC repeater's HTTP administration server by exploiting a hardcoded default password. An attacker who can access the repeater's HTTP port can log in as an administrator using the known default credential on new or unconfigured installations. This access allows them to fully control the repeater's settings, including its access rules and visibility of connections.

  • Attacker can reach HTTP port.
  • Hardcoded password allows admin login.
  • Full control over repeater configuration.

Live Threat

Current exploitation, exposure, and threat context

When an UltraVNC repeater is first deployed without a settings file, its HTTP administration server is initialized with a hardcoded default password. This allows any unauthenticated remote attacker who can access the repeater's HTTP port to log in with full administrative control over its configuration and view active sessions.

  • Repeater configuration and session visibility.
  • Unauthenticated network access to the HTTP port.
  • Full administrative control over the repeater.

Operational Fix

Recommended remediation, mitigation, and detection steps

The UltraVNC repeater's hardcoded default password presents a critical risk, allowing unauthenticated remote attackers to gain full administrative control. Ownership likely falls to the teams managing the remote access infrastructure or specific application deployments. The first practical step is to identify all UltraVNC repeater instances, assess their network exposure and business criticality, and confirm the accountable owner for remediation planning.

  • Infrastructure or application owners should address.
  • Verify network exposure and instance reachability.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the UltraVNC repeater component?

The UltraVNC repeater is a specialized proxy service used to facilitate remote desktop connections between clients and servers. It acts as an intermediary, allowing VNC traffic to traverse firewalls or network address translation (NAT) boundaries. By managing the routing of these remote sessions, it provides a centralized point for connectivity, often featuring an HTTP-based administrative interface for operators to oversee configurations and active session traffic.

What does CVE-2026-7839 mean for the software?

This vulnerability is classified as CWE-798, which involves the use of hardcoded credentials. In this specific case, the UltraVNC repeater automatically sets a predictable, default password during its initial setup if a configuration file is missing. Because the administrative interface does not enforce rate-limiting or account lockout, an attacker can programmatically test this known default credential to gain unauthorized administrative access to the service.

How does an attacker trigger this vulnerability?

An attacker triggers this by sending a request to the repeater's HTTP administration port, typically TCP port 80. The vulnerability is present only when a repeater is freshly installed or running without a custom settings file, as this is when the software initializes with the default password. If a user has already created a custom configuration file and changed the password, the default credential is no longer active, and the vulnerability is not triggered.

Is my UltraVNC instance at risk?

According to Halo Surface Signal, this vulnerability is considered a high-risk concern because the administrative interface is designed to be accessible over the network for remote management. If your repeater's HTTP management port is exposed to the internet or reachable from untrusted network segments, it is a primary target. You should prioritize instances that are not restricted by network-level access controls, as these are the most likely to be successfully reached by remote attackers.

What should I do if I run UltraVNC?

Your first step is to perform an inventory to locate all active repeater instances across your environment. Verify whether these instances are currently reachable over the network and confirm if they were initialized using default settings. Once identified, ensure that the administrative password is changed immediately to a strong, unique value. Coordinate with your infrastructure team to restrict access to the HTTP management interface to trusted IP addresses only.

References