CVE-2022-24750

Description

UltraVNC is a free and open source remote pc access software. A vulnerability has been found in versions prior to 1.3.8.0 in which the DSM plugin module, which allows a local authenticated user to achieve local privilege escalation (LPE) on a vulnerable system. The vulnerability has been fixed to allow loading of plugins from the installed directory. Affected users should upgrade their UltraVNC to 1.3.8.1. Users unable to upgrade should not install and run UltraVNC server as a service. It is advisable to create a scheduled task on a low privilege account to launch WinVNC.exe instead. There are no known workarounds if winvnc needs to be started as a service.

Risk Information

Base Score

7.8

MODERATE

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

Exploitation Probability

0.09

Associated Vulnerability

Vulnerability	OS Platform
Vulnerabilities CVE-2022-24750 are affected in UltraVNC (MSI) (x64) 1.2.2.4	Windows
Vulnerabilities CVE-2022-24750 are affected in UltraVNC (MSI) 1.2.2.4	Windows
Vulnerabilities CVE-2022-24750 are affected in UltraVNC (x64) 1.2.2.4	Windows
Vulnerabilities CVE-2022-24750 are affected in UltraVNC (x86) 1.2.2.4	Windows

Patch Details

Click to see the patches provided by ManageEngine for this CVE

Patch ID	Patch Description
PATCH-349101	UltraVNC (x64) (1.6.4.0)
PATCH-349100	UltraVNC (1.6.4.0)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234