CVE-2025-26326

Name of the Vulnerable Software and Affected Versions NVDA versions 2024.4.1 through 2024.4.2

Description A vulnerability in the remote connection complements of NVDA allows an attacker to obtain total control of the remote system when guessing a weak password. The problem occurs because the complements accept any password typed by the user and do not have an additional authentication or checking mechanism by the computer that will be accessed. Tests indicate that over 1,000 systems use easy to guess passwords, many with less than 4 to 6 characters, including common sequences. This enables brute strength or attempt and error attacks on the part of malicious invaders. The vulnerability can be explored by a remote attacker who knows or can guess the password used in the connection, resulting in complete access to the affected system, allowing the attacker to run commands, modify files, and compromise user security.

Recommendations For NVDA versions 2024.4.1 and 2024.4.2, consider implementing additional authentication mechanisms to prevent brute force attacks. As a temporary workaround, restrict access to remote connections until a patch is available. Avoid using weak passwords, especially those with less than 4 to 6 characters or common sequences, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.