| Title | UltraVNC 1.6.4.0 Uncontrolled Search Path |
|---|
| Description | UltraVNC version x.x.x.x (32-bit/x86) fails to securely load the system DLL "cryptbase.dll" by using a relative path or relying on the default Windows DLL search order without mitigation. This allows an attacker with local access to place a malicious cryptbase.dll in a directory that precedes the legitimate System32 path in the search order (such as the application's installation directory, current working directory, or a user-writable location alongside the UltraVNC service executable).
When the vulnerable UltraVNC service (winvnc.exe) loads cryptbase.dll, the malicious DLL is executed in the context of the service process. If the service runs with elevated privileges (SYSTEM or high-integrity, common for VNC servers installed as a service), this results in arbitrary code execution with SYSTEM privileges, enabling actions such as establishing a reverse shell to the attacker's machine, installing persistence mechanisms, or performing further privilege escalation and lateral movement. |
|---|
| Source | ⚠️ https://drive.google.com/file/d/14ixv_1i4D2VrZWyl4RKsvFcN1AMF_qNx/view |
|---|
| User | haehanse (UID 95883) |
|---|
| Submission | 02/25/2026 10:28 (1 month ago) |
|---|
| Moderation | 03/08/2026 08:11 (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 349754 [UltraVNC 1.6.4.0 on Windows Windows Service cryptbase.dll uncontrolled search path] |
|---|
| Points | 20 |
|---|