Hardcoded VNC Password `cloudlinux` Exposes Linux Desktops via Cloudflare Tunnels

A critical security flaw has been identified in `install.sh`, where the VNC password is hardcoded in plaintext as `cloudlinux` at line 281. The vulnerable code—`printf "\ncloudlinux\ncloudlinux\n"`—is a well-known default credential documented across security databases and attacker tooling. Any actor who discovers the associated Cloudflare tunnel URL can immediately authenticate to the target Linux desktop without additional reconnaissance.

The exposure grants a direct path to complete system access. Once inside the VNC session, an attacker can read files, execute commands, and potentially escalate privileges depending on the system configuration. Unlike brute-force attacks, no guessing is required—the credential is static, searchable, and reusable across any deployment of the affected script. This transforms the vulnerability from theoretical risk to an accessible attack surface the moment the tunnel URL becomes known.

The suggested remediation replaces the hardcoded value with dynamic password generation using `openssl rand -base64 32 | tr -d /+= | head -c 16`, which creates a unique, high-entropy password displayed once to the user and not stored in plaintext. Organizations deploying the affected script face immediate exposure if the Cloudflare tunnel URL is inadvertently shared, logged, or discovered through misconfiguration. Security teams should audit any current deployments, revoke access via the known credential, and apply the proposed fix before further exposure.