1.8M RDP, 1.6M VNC Servers Found Exposed Online
Forescout found 1.8 million RDP and 1.6 million VNC servers exposed online; many run outdated Windows and lack proper authentication.
Forescout Vedere Labs reported that scans of the public internet located 1.8 million Remote Desktop Protocol (RDP) servers and 1.6 million Virtual Network Computing (VNC) servers exposed online. The researchers used the device-search engine Shodan and found the largest concentrations in China and the United States.
After excluding systems the team identified as likely honeypots, Forescout classified about 91,000 exposed RDP servers and 29,000 exposed VNC servers by industry. More than 40% of exposed RDP servers ran Windows 10, and roughly 18% ran end-of-life Windows builds. The analysis flagged about 19,000 RDP servers vulnerable to BlueKeep, a remote code execution flaw disclosed in 2019.
Many VNC servers were found with authentication disabled, allowing anyone who connects to interact with the desktop. The report warned that attackers who gain access through exposed remote desktop services can obtain “broad, persistent” access and carry out activities such as defacing systems, disrupting processes, wiping data or moving laterally within networks.
Industry distribution varied. For RDP, retail accounted for about 32% of exposed servers and services about 23%. For VNC, education made up about 28% and services about 22%.
Forescout noted that exposure counts alone do not determine risk and highlighted differences in operational environments across sectors. Transportation setups frequently require multi-vendor access, manufacturing has been targeted by ransomware through RDP, and utilities may operate with constrained budgets while facing hacktivist activity.
To reduce exposure, the report recommended replacing ad hoc remote-access arrangements with secure remote access systems that enforce stronger authentication, authorization, logging and accountability. The authors added that “Access should be governed with the same rigor as procedures on the plant floor.”
The report documents that widely deployed remote-access technologies combined with outdated operating systems and weak authentication settings left a large number of services exposed on the public internet.
