CVE-2022-24750

Name of the Vulnerable Software and Affected Versions UltraVNC versions prior to 1.3.8.0

Description A vulnerability has been found in UltraVNC, a free and open source remote pc access software, where the DSM plugin module allows a local authenticated user to achieve local privilege escalation (LPE) on a vulnerable system. The vulnerability has been fixed to allow loading of plugins from the installed directory.

Recommendations For versions prior to 1.3.8.0, upgrade to version 1.3.8.1 to resolve the issue. If an upgrade is not possible, do not install and run UltraVNC server as a service. As a temporary workaround, consider creating a scheduled task on a low privilege account to launch WinVNC.exe instead.