Login Sign Up

CVE-2026-3787

7.0 HIGH

📋 TL;DR

This vulnerability in UltraVNC 1.6.4.0 on Windows involves an uncontrolled search path weakness in cryptbase.dll that could allow local attackers to execute arbitrary code by placing malicious DLLs in specific directories. It affects Windows systems running UltraVNC 1.6.4.0 and requires local access with high complexity to exploit.

💻 Affected Systems

Products:
  • UltraVNC
Versions: 1.6.4.0
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Specifically affects cryptbase.dll component within UltraVNC's Windows service.

📦 What is this software?

Ultravnc by Uvnc

View all CVEs affecting Ultravnc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to full system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Limited impact due to high exploit complexity and local access requirement; potential for unauthorized code execution by malicious local users.

🟢

If Mitigated

Minimal impact with proper access controls, least privilege principles, and DLL search path hardening.

🌐 Internet-Facing: LOW - Requires local access, not remotely exploitable.
🏢 Internal Only: MEDIUM - Local attackers could exploit, but high complexity reduces likelihood.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: HIGH

Attack requires local access and high complexity; vendor unresponsive to disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - vendor did not respond

Vendor Advisory: None available

Restart Required: Yes

Instructions:

No official patch available. Consider upgrading to newer UltraVNC versions if available, or implementing workarounds.

🔧 Temporary Workarounds

Restrict DLL search path

windows

Configure Windows to restrict DLL search paths using SafeDllSearchMode or SetDefaultDllDirectories API

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f

Remove vulnerable UltraVNC version

windows

Uninstall UltraVNC 1.6.4.0 and replace with alternative remote access solutions

control panel > Programs > Uninstall UltraVNC 1.6.4.0

🧯 If You Can't Patch

  • Implement strict local access controls and least privilege principles
  • Monitor for suspicious DLL loading behavior and file system changes

🔍 How to Verify

Check if Vulnerable:

Check UltraVNC version: Open UltraVNC Viewer/Server > Help > About, or check installed programs list for version 1.6.4.0

Check Version:

wmic product where name="UltraVNC" get version

Verify Fix Applied:

Verify UltraVNC is no longer version 1.6.4.0, or that workarounds are properly configured

📡 Detection & Monitoring

Log Indicators:

  • Windows Event Logs showing DLL loading from unexpected paths
  • Process Monitor logs showing cryptbase.dll being loaded from non-standard locations

Network Indicators:

  • Not applicable - local vulnerability

SIEM Query:

EventID=7 from Sysmon showing ImageLoaded from suspicious paths containing cryptbase.dll

📊 Metadata

CVE ID: CVE-2026-3787
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-426
Published: March 8, 2026
Last Updated: March 10, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-3787, you might also want to check these:

CVE-2023-30330 9.8

SoftExpert Excellence Suite 2.x versions before 2.1.3 contain a Local File Inclusion vulnerability i...

Same vulnerability type (CWE-426)
CVE-2025-26155 9.8

This CVE describes an Untrusted Search Path vulnerability in NCP VPN clients that allows attackers t...

Same vulnerability type (CWE-426)
CVE-2020-15801 9.8

This vulnerability in Python 3.8.4 allows attackers to bypass sys.path restrictions specified in pyt...

Same vulnerability type (CWE-426)