UltraVNC CVE applicability assessment

Overview

Recently, Common Vulnerabilities and Exposures (CVEs) were disclosed affecting UltraVNC, a third-party component Datto RMM uses for VNC-based remote control. This article covers Kaseya's response efforts, assessment of why these CVEs are not and were not exploitable in the Generally available configuration of Datto RMM as shipped, and Guidance to customers on next steps.

Background

Datto RMM previously bundled UltraVNC version 1.3.8.1. Six CVEs were disclosed against UltraVNC versions up to and including 1.8.2.2:

  • CVE-2026-7829
  • CVE-2026-7830
  • CVE-2026-7831
  • CVE-2026-7838
  • CVE-2026-7839
  • CVE-2026-7840

The version Datto RMM shipped fell within the affected range. In response, Datto RMM has updated the bundled component to UltraVNC 1.8.2.4, the current release, which resolves all of the above.

Assessment

Beyond updating the version, Datto RMM reviewed each CVE against how it implements UltraVNC. The CVEs fall into three groups:

CVEs Vulnerability type Exploitable as shipped?
CVE-2026-7829, CVE-2026-7839, CVE-2026-7840 Affects the UltraVNC Repeater component No. Datto RMM does not install, invoke, or expose the Repeater component.
CVE-2026-7831, CVE-2026-7838 Require a malicious or compromised VNC server configuration No. Datto RMM does not invoke a standalone VNC viewer client, and connections are brokered entirely through the managed agent.
CVE-2026-7830 Man-in-the-middle risk tied to the MS-Logon II protocol No. Datto RMM does not negotiate or support MS-Logon II, and the VNC connection is limited to localhost, brokered through the agent rather than exposed over the network.

Based on this review, Kaseya has determined that none of the six CVEs are exploitable in Datto RMM's implementation as deployed. However, out of an abundance of caution, Datto RMM updated the component to prevent the spread of vulnerable versions among our customer base, and prevent any potential downstream impact to customers leveraging this feature of Datto RMM.

Resolution steps taken in Datto RMM

Datto RMM replaced the bundled UltraVNC binaries with version 1.8.2.4 across all Datto RMM platforms. Because UltraVNC is delivered as a separate downloadable package rather than compiled into the agent, Datto RMM rolled out this update automatically to any account with the VNC integration enabled, without requiring a new agent release.

How to verify your version

On a managed device, check the .versionstamp file located at C:\Program Files (x86)\CentraStage\UltraVNC. It should read 1.8.2.4. If it doesn't, allow time for your device's next scheduled check-in, restart the Datto RMM Agent manually, or contact Support.

Recommended action

No action is required. If you previously disabled the VNC integration as a precaution, it's safe to re-enable it. Refer to Enable the VNC Integration

Related resources

Release Notes: UltraVNC Component update