Millions of RDP and VNC Servers Exposed, Heightening Cybersecurity Risks to Critical Infrastructure
New research from Forescout Technologies’ Vedere Labs reveals a staggering 1.8 million Remote Desktop Protocol (RDP) and 1.6 million Virtual Network Computing (VNC) servers exposed to the internet, creating significant security vulnerabilities across industrial and enterprise environments. China leads in exposure, accounting for 22% of RDP and 70% of VNC servers, followed by the U.S. (20% RDP, 7% VNC) and Germany (8% RDP, 2% VNC).
Industry analysis shows retail, services, and education sectors dominate RDP exposure, while education, services, and healthcare lead in VNC exposure. Manufacturing, transportation, and utilities are also heavily impacted. Many exposed systems run outdated software 18% of RDP servers use end-of-life Windows versions, and 42% rely on Windows 10, which no longer receives security updates. Additionally, over 19,000 RDP servers remain vulnerable to the critical BlueKeep flaw, and nearly 60,000 VNC servers have authentication disabled, including 670 directly linked to operational technology (OT) and industrial control systems (ICS).
Threat activity is escalating, with hacktivist groups actively sharing tools to identify and exploit vulnerable systems. The REDHEBERG botnet has infected nearly 40,000 exposed VNC assets since February. Since Russia’s invasion of Ukraine in 2022 and the Middle East conflict escalation in early 2026, hacktivist attacks on critical infrastructure have surged. Pro-Russian groups like Cyber Army of Russia Reborn (CARR), NoName057(16), Z-Pentest, and Sector16 have targeted exposed VNC servers, using brute-force attacks and custom tools to gain access. One such tool, the TRK25 ADVANCED SCADA scanner, probes RDP, VNC, and OT-specific protocols like Modbus and OPC, capturing screenshots of compromised systems. Recent incidents include a claimed breach of an Israeli groundwater pumping station and the sale of access to a Czech SCADA system.
The risks are compounded by insecure remote access practices in industrial environments. Traditional methods like VPNs and jump hosts often rely on shared credentials and lack granular control, while undocumented access pathways created by OEMs, contractors, or ad hoc connections operate without oversight. Legacy protocols, designed without remote connectivity in mind, further increase vulnerability to misconfigurations and unauthorized access. Limited session visibility exacerbates the problem, as organizations struggle to track who accesses critical systems and what actions they take.
Forescout’s research underscores that secure remote access (SRA) in cyber-physical systems (CPS) requires a fundamental shift treating access as a controlled operational workflow rather than a simple network connection. Modern SRA solutions isolate sessions, rendering them as secure, browser-delivered streams to minimize exposure of fragile protocols. However, many organizations remain complacent, treating long-standing remote connections as "trusted" despite their inherent risks. As Mandolini of Forescout noted, these unsecured pathways often overlooked in favor of more complex threat scenarios frequently appear in breach reports under labels like "unauthorized access" or "compromised credentials." The findings highlight an urgent need for improved governance and visibility in remote access management to prevent exploitation of these persistent security gaps.
Forescout Technologies Inc. cybersecurity rating report: https://www.rankiteo.com/company/forescout-technologies
"id": "FOR1777631221",
"linkid": "forescout-technologies",
"type": "Vulnerability",
"date": "2/2026",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': ['Retail',
'Services',
'Education',
'Healthcare',
'Manufacturing',
'Transportation',
'Utilities'],
'location': ['China (22% RDP, 70% VNC)',
'U.S. (20% RDP, 7% VNC)',
'Germany (8% RDP, 2% VNC)'],
'type': ['Retail',
'Services',
'Education',
'Healthcare',
'Manufacturing',
'Transportation',
'Utilities']}],
'attack_vector': ['Brute-force attacks',
'Unauthorized access via exposed RDP/VNC',
'Custom SCADA scanners'],
'description': 'New research from Forescout Technologies’ Vedere Labs reveals '
'a staggering 1.8 million Remote Desktop Protocol (RDP) and '
'1.6 million Virtual Network Computing (VNC) servers exposed '
'to the internet, creating significant security '
'vulnerabilities across industrial and enterprise '
'environments. Threat activity is escalating, with hacktivist '
'groups actively sharing tools to identify and exploit '
'vulnerable systems. The risks are compounded by insecure '
'remote access practices in industrial environments, leading '
'to potential breaches in critical infrastructure.',
'impact': {'operational_impact': ['Potential unauthorized access to critical '
'infrastructure',
'Disruption of industrial processes'],
'systems_affected': ['RDP servers (1.8M)',
'VNC servers (1.6M)',
'Operational Technology (OT)',
'Industrial Control Systems (ICS)']},
'initial_access_broker': {'entry_point': ['Exposed RDP/VNC servers',
'Legacy protocols'],
'high_value_targets': ['Operational Technology (OT)',
'Industrial Control Systems '
'(ICS)']},
'lessons_learned': 'Secure remote access (SRA) in cyber-physical systems '
'(CPS) requires treating access as a controlled '
'operational workflow rather than a simple network '
'connection. Many organizations remain complacent, '
"treating long-standing remote connections as 'trusted' "
'despite their inherent risks.',
'motivation': ['Hacktivism',
'Financial gain (sale of access)',
'Cyber warfare'],
'post_incident_analysis': {'corrective_actions': ['Adopt modern Secure Remote '
'Access (SRA) solutions',
'Isolate sessions and '
'minimize exposure of '
'fragile protocols',
'Improve governance and '
'visibility in remote '
'access management',
'Address undocumented '
'access pathways',
'Enhance monitoring of '
'critical system access'],
'root_causes': ['Exposure of 1.8M RDP and 1.6M VNC '
'servers to the internet',
'Outdated software (18% RDP '
'servers use EOL Windows versions, '
'42% rely on Windows 10)',
'Disabled authentication in VNC '
'servers (nearly 60,000)',
'Insecure remote access practices '
'(VPNs, jump hosts with shared '
'credentials)',
'Undocumented access pathways by '
'OEMs/contractors',
'Legacy protocols designed without '
'remote connectivity in mind',
'Limited session visibility']},
'recommendations': ['Implement modern Secure Remote Access (SRA) solutions',
'Isolate sessions and deliver them as secure, '
'browser-delivered streams',
'Improve governance and visibility in remote access '
'management',
'Address undocumented access pathways and legacy protocol '
'vulnerabilities',
'Enhance session visibility to track access to critical '
'systems'],
'references': [{'source': 'Forescout Technologies’ Vedere Labs'}],
'response': {'enhanced_monitoring': ['Improved governance and visibility in '
'remote access management'],
'remediation_measures': ['Modern Secure Remote Access (SRA) '
'solutions',
'Isolation of sessions',
'Browser-delivered streams for secure '
'access']},
'threat_actor': ['Cyber Army of Russia Reborn (CARR)',
'NoName057(16)',
'Z-Pentest',
'Sector16',
'REDHEBERG botnet',
'Hacktivist groups'],
'title': 'Millions of RDP and VNC Servers Exposed, Heightening Cybersecurity '
'Risks to Critical Infrastructure',
'type': ['Exposed Servers', 'Vulnerability Exploitation'],
'vulnerability_exploited': ['Outdated software (EOL Windows versions)',
'BlueKeep flaw',
'Disabled authentication in VNC servers',
'Legacy protocols misconfigurations']}