Hundreds of Internet-Facing VNC Servers Expose ICS/OT

Summary

Security research by Forescout revealed millions of internet-facing RDP and VNC servers globally, with 91,000 RDP and 29,000 VNC servers linked to specific industries including manufacturing, healthcare, and critical infrastructure. The research identified 670 VNC servers providing direct unauthenticated access to ICS/OT panels, with active exploitation documented by Russia-linked threat actors (Infrastructure Destruction Squad/Dark Engine) and the Redheberg botnet infecting nearly 40,000 VNC servers since February. Over 19,000 RDP servers remain vulnerable to the BlueKeep exploit, and nearly 60,000 VNC servers lack authentication entirely.

Full text

Millions of remote access RDP and VNC servers are exposed to the internet, and hundreds of them may provide access to industrial control systems (ICS) and other operational technology (OT), according to research by Forescout. RDP (Remote Desktop Protocol) and VNC (Virtual Network Computing) are widely used for remote access, but they should not be exposed directly to the open internet without a secure gateway. A Shodan search shows roughly 1.8 million RDP and 1.6 million VNC servers exposed on the internet, a majority in China and the United States. Forescout has determined that the majority are honeypots, ISPs, and hosting providers, but its researchers still found 91,000 RDP and 29,000 VNC servers that could be linked to specific industries. A significant percentage of exposed servers is hosted by organizations in the retail, education, services, manufacturing, and healthcare sectors. An analysis showed that many of the exposed servers run Windows versions that reached end of life or end of support. More than 19,000 RDP servers are vulnerable to the old vulnerability named BlueKeep, which has been exploited by a wide range of threat actors. In addition, nearly 60,000 VNC servers do not have authentication enabled. One of the most concerning findings is that 670 of these VNC servers provide direct access to ICS/OT panels without authentication. Advertisement. Scroll to continue reading. Access to these cyber-physical systems (CPS) can be highly valuable to attackers, and the threat is not only theoretical. Forescout pointed out that Russia-linked hackers have been known to target OT systems via VNC, as warned by government agencies in December 2025. One Russia-linked group, known as Infrastructure Destruction Squad (IDS) and Dark Engine, recently shared a tool designed to scan for RDP, VNC, and OT-specific protocols. “On February 23, the group shared a video of a purportedly compromised groundwater pumping station in Israel that it said was found with this tool. On March 9, the group shared another example of the tool being run against a specific target set, including a VNC screenshot of a control system in Turkey,” Forescout said, adding, “Between these two posts, the group also advertised the sale of access to an exposed SCADA system in Czechia.” In addition to these attacks, the cybersecurity firm noted that profit-driven cybercriminals have been abusing RDP for ransomware deployment, and that the Redheberg botnet has infected nearly 40,000 exposed VNC servers since February. Organizations can mitigate these risks by using dedicated secure remote access solutions, including ones designed specifically for accessing sensitive CPS. Related: Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Hacking Related: ZionSiphon Malware Targets ICS in Water Facilities Related: CISA Warns of ScadaBR Vulnerability After Hacktivist ICS Attack Related: ICS Devices Bricked Following Russia-Linked Intrusion Into Polish Power Grid Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Robinhood Vulnerability Exploited for Phishing AttacksElectric Motorcycles and Scooters Face Hacking Risks to Security and Rider SafetyMedtronic Hack Confirmed After ShinyHunters Threatens Data LeakMalicious AI Prompt Injection Attacks Increasing, but Sophistication Still Low: GoogleEnergy and Water Management Firm Itron HackedFirefox Vulnerability Allows Tor User FingerprintingLocked Shields 2026: 41 Nations Strengthen Cyber Resilience in World’s Biggest ExerciseVulnerabilities Patched in CrowdStrike, Tenable Products Latest News Fresh LiteLLM Vulnerability Exploited Shortly After DisclosureCheckmarx Confirms Data Stolen in Supply Chain AttackIranian Cyber Group Handala Targets US Troops in Bahrain38 Vulnerabilities Found in OpenEMR Medical SoftwareChrome 147, Firefox 150 Security Updates Rolling OutCritical GitHub Vulnerability Exposed Millions of RepositoriesCyber Insurance Data Gives CISOs New Ammo for Budget TalksVimeo Confirms User and Customer Data Breach Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveMongoDB has appointed Doug Bowers as Chief Information Security Officer.Ben Wilkens has been promoted to Director of Cybersecurity at NMFTA.Cato Networks has appointed Meital Koren as Chief Legal Officer.More People On The MoveExpert Insights The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — Redheberg

Entities