Forescout: 1.8M RDP, 1.6M VNC exposed; 19K BlueKeep

Forescout Vedere Labs found 1.8 million Remote Desktop Protocol (RDP) and 1.6 million Virtual Network Computing (VNC) servers accessible on the public internet. Researchers used the Shodan device search engine to locate endpoints and excluded likely honeypots and non-enterprise hosts to focus on assets tied to industry networks.

After filtering, the team classified 91,000 RDP and 29,000 VNC systems as associated with corporate or industrial networks. Most scanned endpoints were located in China and the United States, the report notes.

More than 40% of the exposed RDP servers ran Windows 10 and about 18% ran end-of-life Windows releases, leaving those hosts open to known vulnerabilities. The report identified roughly 19,000 exposed RDP servers that remain vulnerable to the BlueKeep exploit disclosed in 2019.

Many VNC services were found with authentication disabled. The report states weak or absent authentication and authorization controls can allow an intruder to gain broad, persistent access to systems. Exposed remote-access assets could be used to deface systems, disrupt processes, wipe data, or move laterally into wider networks.

The distribution of classified exposures varied by sector. For RDP, 32% of the assets were in retail and 23% in general services. For VNC, 28% were in education and 22% in services. The report notes sectors face different operational constraints, such as multi-vendor access in transportation, ransomware targeting in manufacturing, and limited budgets in water and utilities.

The report recommends reducing internet-facing remote access, enforcing strong authentication and authorization, applying patches, and using secure remote-access solutions with segmentation to limit the impact of a compromised endpoint. Researchers urged organizations to treat remote access as a controlled operational workflow and wrote, “Access should be governed with the same rigor as procedures on the plant floor.”