TWO critical vulnerabilities have been disclosed in UltraVNC's repeater tool's HTTP admin server, impacting versions through 1.8.2.2. The first vulnerability, CVE-2026-7840, allows arbitrary code execution via a repeater HTTP server global buffer overflow (CVSS 9.8), while the second, CVE-2026-7839, involves a hardcoded admin password that can be exploited remotely (CVSS 9.1).
Although no confirmed exploitation has occurred, both vulnerabilities pose significant risks as the repeater relays remote desktop sessions and is often exposed to the internet. Users are advised to update to the latest version and strengthen security measures.