Description
UltraVNC repeater through 1.8.2.2 initializes the HTTP administration server with a hardcoded default password. In repeater/webgui/settings.c:197, when settings2.txt is absent on first run the repeater writes the literal string "adminadmi2" as the admin password via strcpy_s(saved_password, 64, "adminadmi2"). The HTTP Basic-auth handler wi_decode_auth() checks this password without rate-limiting or lockout. Any remote attacker who can reach the repeater HTTP port (default TCP 80) can authenticate as administrator using the well-known default credential on a fresh or unmodified installation, gaining full control of the repeater configuration including allow/deny rules and session visibility.
Problem types
Product status
Any version
Timeline
| 2026-06-02: | Vulnerability discovered during security audit |
| 2026-06-17: | Reported to vendor (coordinated disclosure) |
| 2026-09-15: | Planned public disclosure (90-day window) |
Credits
Arjun Basnet, Securin (arjun.basnet@securin.io)
References
uvnc.com/ (UltraVNC project page)
github.com/ultravnc/UltraVNC (UltraVNC source repository)
www.securin.io/...dmin-password-adminadmi2-ultravnc-repeater