Skip to content
English
Visit our website
  • There are no suggestions because the search field is empty.

Virtual Network Computing (VNC)

Severity: High

Likelihood: Medium–High (very common in misconfigured environments, especially in cloud/remote access setups)

General Guidance

Restrict VNC access to trusted networks and enforce strong authentication (or VPN + MFA). Disable direct internet exposure and ensure encryption is enabled.

What is the concern?

VNC is a remote desktop protocol that, when exposed to the internet or improperly secured, allows attackers to remotely control systems. Many VNC deployments lack strong authentication or encryption, making them susceptible to brute-force attacks, credential theft, or unauthorized access.

Business Impact

  • Full remote control of affected systems

  • Data theft or manipulation

  • Deployment of ransomware or malware

  • Lateral movement within the network

  • Operational disruption and potential regulatory impact (depending on data accessed)

How can this risk be resolved?

  • Disable direct internet exposure of VNC (no open ports like 5900)

  • Require access through VPN or Zero Trust solutions

  • Enforce strong passwords and implement MFA where possible

  • Enable encryption (e.g., use secure variants like VNC over SSH)

  • Limit access via IP allowlisting/firewalls

  • Regularly audit and remove unused remote access services

VNC services should be hidden behind a firewall and/or VPN, or similar action taken, to prevent any unwanted access or intrusion which could later be used to access the internal network via any connecting devices or accidental connection onto the core network. If placing these services behind a firewall/VPN, only a narrow set of allow-listed services should be permitted to connect. If you do this, KYND will mark the issue as resolved.

If this isn’t possible, you should take alternative steps to mitigate the issue.

This could include adding extra layers of authentication, including MFA or PKI certificates to ensure that only authenticated users and services are able to connect.

If none of these are possible, then these services should be entirely separated from the rest of your organization's infrastructure, ensuring that there is no way an attacker could traverse from an attack on this service to gain access to sensitive data, services, networks or infrastructure.

Real-World Example

  • Ransomware campaigns (multiple incidents, 2020–2024): Attackers have repeatedly scanned for open VNC services and used weak or no authentication to gain access. In several documented cases, attackers manually navigated systems via VNC to deploy ransomware, bypassing traditional detection methods.

  • Industrial/OT environments: Poorly secured VNC instances have been found exposed on manufacturing and SCADA systems, allowing potential attackers to directly interact with operational systems—posing both cyber and physical risks

Detection Opportunities

  • Monitor for:

    • Repeated failed login attempts to VNC services (brute-force indicators)

    • Unusual remote session activity (e.g., logins outside business hours)

    • Connections from unfamiliar or foreign IP addresses

  • Network scanning:

    • Identify exposed ports (TCP 5900–590x)

  • Endpoint detection:

    • Unexpected processes launched via remote sessions

  • Log analysis:

    • VNC server logs (where available) for session tracking

  • Threat hunting:

    • Look for tools or scripts commonly used to scan for VNC services