Ultravnc · Ultravnc · CVE-2022-24750
**Name of the Vulnerable Software and Affected Versions**
UltraVNC versions prior to 1.3.8.0
**Description**
A vulnerability has been found in UltraVNC, a free and open source remote pc access software, where the DSM plugin module allows a local authenticated user to achieve local privilege escalation (LPE) on a vulnerable system. The vulnerability has been fixed to allow loading of plugins from the installed directory.
**Recommendations**
For versions prior to 1.3.8.0, upgrade to version 1.3.8.1 to resolve the issue.
If an upgrade is not possible, do not install and run UltraVNC server as a service.
As a temporary workaround, consider creating a scheduled task on a low privilege account to launch WinVNC.exe instead.