CVE-2025-26326 Information

Description

A vulnerability in the remote connection complements of the NVDA (Nonvisual Desktop Access) 2024.4.1 and 2024.4.2 was identified which allows an attacker to obtain total control of the remote system when guessing a weak password. The problem occurs because the complements accept any password typed by the user and do not have an additional authentication or checking mechanism by the computer that will be accessed. Tests indicate that over 1000 systems use easy to guess passwords many with less than 4 to 6 characters including common sequences. This enables brute strength or attempt and error attacks on the part of malicious invaders. Vulnerability can be explored by a remote striker who knows or can guess the password used in the connection. As a result the invader gets complete access to the affected system and can run commands modify files and compromise user security.

Reference

https://github.com/azurejoga/CVE-2025-26326 https://www.nvaccess.org