CVE-2024-42049: 
TightVNC vulnerability analysis and mitigation

TightVNC (Server for Windows) before version 2.8.84 contains a security vulnerability that allows attackers to connect to the control pipe via a network connection. The vulnerability was discovered and disclosed in July 2024, affecting the Windows server component of TightVNC software (NVD, CVE).

The vulnerability has been assigned CVE-2024-42049 and has received a CVSS v3.1 base score of 9.1 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). The vulnerability is classified as CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (NVD).

The vulnerability allows unauthorized network access to the control pipe, potentially exposing sensitive information and allowing attackers to gain control over the TightVNC server. This could lead to unauthorized access to the affected systems and potential exposure of sensitive data (NVD).

The vulnerability has been fixed in TightVNC version 2.8.84. The update disables the ability to connect to the control pipe via network connections, disables the transmission of passwords through the pipe from the server to the control application, and ensures the server only accepts control connections from processes launched from the same path as the server itself on Windows Vista and later (TightVNC Changelog).