CVE-2009-0388

UltraVNC 1.0.2-1.0.5 & TightVnc 1.3.9 - DoS/Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-0388. PoCs published by desi, Andres Luksenberg.

AI-analyzed exploit summary This exploit targets an authentication bypass vulnerability in TightVNC by sending malformed RFB protocol messages to trigger a buffer overflow, potentially leading to remote code execution. It sets up a fake VNC server on port 5900 and sends crafted packets to exploit CVE-2009-0388.

Description

Multiple integer signedness errors in (1) UltraVNC 1.0.2 and 1.0.5 and (2) TightVnc 1.3.9 allow remote VNC servers to cause a denial of service (heap corruption and application crash) or possibly execute arbitrary code via a large length value in a message, related to the (a) ClientConnection::CheckBufferSize and (b) ClientConnection::CheckFileZipBufferSize functions in ClientConnection.cpp.

Exploits (2)

exploitdb WORKING POC VERIFIED
by desi · pythondoswindows
https://www.exploit-db.com/exploits/8024

This exploit targets an authentication bypass vulnerability in TightVNC by sending malformed RFB protocol messages to trigger a buffer overflow, potentially leading to remote code execution. It sets up a fake VNC server on port 5900 and sends crafted packets to exploit CVE-2009-0388.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: TightVNC (versions affected by CVE-2009-0388)
No auth needed
Prerequisites: Network access to the target · TightVNC service running on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Andres Luksenberg · pythondoswindows
https://www.exploit-db.com/exploits/7990

This exploit triggers an integer overflow in UltraVNC and TightVNC clients by sending a malformed RFB protocol response with an excessively large value (0xffffff) during the initial handshake, leading to a denial-of-service (DoS) condition.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: UltraVNC, TightVNC (multiple versions)
No auth needed
Prerequisites: Network access to the target VNC client · Target must initiate a connection to the malicious server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Various Sources x_refsource_confirm
http://forum.ultravnc.info/viewtopic.php?t=14654
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/0321
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/33568
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/500632/100/0/threaded
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/8024
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/0322
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7990
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/33807

Scores

EPSS 0.1333
EPSS Percentile 95.9%

Details

CWE
CWE-189
Status published
Products (3)
tightvnc/tightvnc 1.3.9
ultravnc/ultravnc 1.0.2
ultravnc/ultravnc 1.0.5
Published Feb 04, 2009
Tracked Since Feb 18, 2026