CVE-2026-3787 identifies a vulnerability in UltraVNC version 1.6.4.0 running on Windows platforms, specifically involving an uncontrolled search path weakness linked to the cryptbase.dll library utilized by a Windows Service component. This vulnerability arises when the service improperly handles the search path for loading DLLs, allowing an attacker with local access to influence which DLL is loaded by placing a malicious DLL in a location that is searched before the legitimate one. The attack complexity is high, requiring local access and advanced skills to exploit, and no user interaction is necessary. The vulnerability affects confidentiality, integrity, and availability due to the potential for privilege escalation or arbitrary code execution within the context of the Windows Service. The CVSS 4.0 score is 7.3 (high), reflecting the difficulty of exploitation but significant impact if successfully exploited. No patches or vendor responses have been provided, and no known exploits are currently active in the wild. The vulnerability is particularly concerning because it involves a core Windows library (cryptbase.dll) and a widely used remote desktop tool, UltraVNC, which is often deployed in enterprise environments for remote administration.

If exploited, this vulnerability could allow a local attacker with limited privileges to escalate their privileges or execute arbitrary code with the permissions of the vulnerable Windows Service running UltraVNC. This could lead to unauthorized access to sensitive data, disruption of service, or further compromise of the affected system. Since UltraVNC is commonly used for remote administration, successful exploitation could undermine the security of remote management operations, potentially allowing attackers to gain persistent footholds or move laterally within networks. The high complexity and local access requirement limit the scope of immediate widespread exploitation, but targeted attacks in sensitive environments could have severe consequences. The lack of vendor response and patches increases the risk for organizations relying on this software, as they remain exposed to potential future exploits.

Organizations should immediately assess their use of UltraVNC version 1.6.4.0 and consider the following mitigations: 1) Restrict local access to systems running UltraVNC to trusted users only, minimizing the risk of local exploitation. 2) Employ application whitelisting and strict DLL loading policies to prevent unauthorized DLL injection or loading from untrusted directories. 3) Use Windows security features such as AppLocker or Windows Defender Application Control to control which DLLs can be loaded by services. 4) Monitor systems for unusual DLL loading behavior or privilege escalation attempts using endpoint detection and response (EDR) tools. 5) If possible, upgrade to a newer version of UltraVNC that addresses this vulnerability once available or consider alternative remote desktop solutions with active vendor support. 6) Implement strict file system permissions on directories involved in DLL loading to prevent unauthorized file placement. 7) Maintain robust local user account management and auditing to detect suspicious activity. These steps go beyond generic advice by focusing on controlling DLL search paths and limiting local attack vectors.