External risk intelligence

UltraVNC Repeater HTTP Server Buffer Overflow Allows Code Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-7840

The vulnerability exists in an embedded HTTP administration server used by UltraVNC repeater software. This component is designed to be reachable over the network to facilitate remote management and administration, often residing on edge or accessible infrastructure, making it a common target for remote, unauthenticated access via standard HTTP ports.

Out-of-bounds Write

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in the UltraVNC repeater's embedded HTTP administration server could allow unauthenticated attackers to execute arbitrary code on affected systems. The issue stems from a buffer overflow in how the server handles HTTP request URIs, a flaw that can be exploited remotely without any prior authentication.

  • Code execution risk in management interfaces.
  • Attackers can remotely take over systems.
  • Confirm exposure and manage remote access points.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can send a specially crafted HTTP request to the UltraVNC repeater's administration port, triggering a buffer overflow. This occurs because the server improperly handles long URI lengths in HTTP requests, overwriting adjacent memory. Successful exploitation can lead to arbitrary code execution on the affected system.

  • Network access to repeater HTTP port required.
  • Sending a long URI in an HTTP request.
  • Arbitrary code execution is possible.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows an unauthenticated attacker to execute arbitrary code on a system running the UltraVNC repeater. The overflow occurs in the embedded HTTP administration server before any authentication checks, meaning an attacker only needs to be able to reach the repeater's HTTP port to trigger the overflow.

  • Remote code execution on the host.
  • Triggered by sending a long URI.
  • Compromise of the affected system.

Operational Fix

Recommended remediation, mitigation, and detection steps

The UltraVNC repeater's embedded HTTP administration server contains a critical buffer overflow vulnerability, allowing unauthenticated remote attackers to achieve arbitrary code execution. This impacts organizations using UltraVNC for remote access or administration. The immediate practical steps involve identifying all instances of the UltraVNC repeater, determining their network exposure, and confirming business criticality before planning remediation.

  • Identify UltraVNC repeater instances.
  • Verify network reachability and business criticality.
  • Plan remediation based on risk assessment.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the UltraVNC repeater used for?

UltraVNC is a remote desktop software suite used for managing computers over a network. The repeater component specifically acts as a bridge or relay, allowing remote administration connections to pass through network boundaries like firewalls, which is essential for IT support teams to manage devices that are not directly reachable.

What does CWE-787 mean for CVE-2026-7840?

CWE-787 refers to an Out-of-bounds Write, commonly known as a buffer overflow. In this CVE, the repeater's web interface fails to limit the size of data copied into memory. Because the software does not check the length of an incoming request's URI against the size of the container, an attacker can overwrite adjacent system memory, which can lead to unauthorized code execution.

How does an attacker trigger this buffer overflow?

An attacker triggers the flaw by sending a specially crafted HTTP request to the repeater's administration port containing a long URI. It is important to note that this trigger occurs entirely before the software checks for any user credentials. Legitimate requests with short URIs do not trigger the overflow, but any request exceeding the 1000-byte limit in the affected buffer creates the condition for memory corruption.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal indicates a high likelihood of risk because the vulnerability exists within an administration server designed to be reachable over the network. Since this component often sits on edge infrastructure to facilitate remote management, any instance accessible via the internet or wide network segments is a potential target for unauthenticated remote access.

What should I do first to manage this risk?

Start by conducting an inventory to identify every system running the UltraVNC repeater. Once identified, evaluate whether these services are necessary for business operations and confirm if they are exposed to untrusted networks. Prioritize restricting access to these ports until you can apply the necessary updates or mitigate the exposure by isolating the administration interface from broader network reach.

References