Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2025-26326 PoC — NVDA 安全漏洞

Source
https://github.com/azurejoga/CVE-2025-26326
Associated Vulnerability
Title:NVDA 安全漏洞 (CVE-2025-26326)
Description:A vulnerability was identified in the NVDA Remote (version 2.6.4) and Tele NVDA Remote (version 2025.3.3) remote connection add-ons, which allows an attacker to obtain total control of the remote system by guessing a weak password. The problem occurs because these add-ons accept any password entered by the user and do not have an additional authentication or computer verification mechanism. Tests indicate that more than 1,000 systems use easy-to-guess passwords, many with less than 4 to 6 characters, including common sequences. This allows brute force attacks or trial-and-error attempts by malicious invaders. The vulnerability can be exploited by a remote attacker who knows or can guess the password used in the connection. As a result, the attacker gains complete access to the affected system and can execute commands, modify files, and compromise user security.
Description
Critical security vulnerability in NVDA remote connection add-ons.
Readme
# CVE-2025-26326
Critical security vulnerability in NVDA remote connection add-ons.

# NVDA Remote Access Vulnerability Report

## Description
Critical security vulnerability in NVDA's remote connection add-ons.

## Vulnerability Details

**A vulnerability in the remote connection complements of NVDA (Nonvisual Desktop Access) was identified, allowing an attacker to obtain total control of the remote system by guessing a weak password.**

The problem occurs because the add-ons accept any password typed by the user and do not have an additional authentication or checking mechanism by the accessed computer.

Tests indicate that over 1,000 systems use easily guessable passwords, many with only 4 to 6 characters, including common sequences. This enables brute force or trial-and-error attacks by malicious actors.

A remote attacker who knows or can guess the connection password can gain complete access to the affected system, execute commands, modify files, and compromise user security.

## Additional Information

Nonvisual Desktop Access (NVDA) is a free, open-source, and portable screen reader for Microsoft Windows. The project was created in 2006 by Michael Curran.

## Vulnerability Type

- Incorrect Access Control

## Vendor of Product

- [nvaccess.org](https://www.nvaccess.org)

## Affected Product Code Base

- NVDA, versions 2024.4.2, 2024.4.1 - **All versions affected, no fix available**

## Affected Components

- NVDA Add-on
- nvda.exe

## Attack Type

- Remote

## Impact

- **Code Execution:** True
- **Escalation of Privileges:** True
- **Information Disclosure:** True

## Attack Vectors

1. Install NVDA on the target machine.
2. Open the NVDA Add-ons Store by pressing `Insert + N` and navigating to `Tools > Add-ons Store`.
3. In the store, locate and install an add-on such as **"NVDA Remote"** or **"Tele NVDA Remote"**.
4. Go to `Insert + N > Tools > Remote > Connect > Control another computer`.
5. Enter a remote address (e.g., `nvdaremote.com`, `telenvda remote`, or `nvdaremote.es`) and input any password between **1 to 6 characters long**, preferably an easily guessable one (e.g., "1234").
6. Click **OK** to initiate a connection to the target machine.
7. Once the connection is established, press **F11** to gain complete control over the target computer.
8. **Note:** The target user must have enabled the **"Control my computer"** option under `Tools > Remote > Control my computer` for the attack to succeed.

## Reference

- [NV Access](https://www.nvaccess.org)

## Discoverer

- **Juan Mathews Rebello Santos**
  - [LinkedIn](https://linkedin.com/in/juan-mathews-rebello-santos-)
  - [GitHub](https://github.com/azurejoga/)
File Snapshot

 [4.0K]  /data/pocs/dbbc27c80d797e790b6188d3ac2efe3cc85b478d
└── [2.6K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →