CVE-2022-25226

CRITICAL NUCLEI

ThinVNC 1.0b1 - Unauthenticated Authentication Bypass and Remote Code Execution via CMD Connect

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-25226. PoCs published by krill-x7. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2022-25226, an authentication bypass vulnerability in ThinVNC 1.0b1 that leads to remote code execution via PowerShell command injection and AMSI bypass.

Description

ThinVNC version 1.0b1 allows an unauthenticated user to bypass the authentication process via 'http://thin-vnc:8080/cmd?cmd=connect' by obtaining a valid SID without any kind of authentication. It is possible to achieve code execution on the server by sending keyboard or mouse events to the server.

Exploits (1)

nomisec WORKING POC 1 stars
by krill-x7 · poc
https://github.com/krill-x7/CVE-2022-25226

This repository contains a functional exploit for CVE-2022-25226, an authentication bypass vulnerability in ThinVNC 1.0b1 that leads to remote code execution via PowerShell command injection and AMSI bypass.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ThinVNC 1.0b1
No auth needed
Prerequisites: Network access to ThinVNC server · HTTP server to host reverse shell payload · Listener for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

ThinVNC - Authentication Bypass
CRITICALVERIFIEDby ritikchaddha
Shodan: http.favicon.hash:-1414548363
FOFA: icon_hash="571240285"

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://fluidattacks.com/advisories/sinatra/

Scores

CVSS v3 10.0
EPSS 0.1087
EPSS Percentile 95.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

Status published
Products (1)
cybelsoft/thinvnc 1.0 b1
Published Apr 18, 2022
Tracked Since Feb 18, 2026