Abstract
VNC (Virtual Network Computing) and its underlying RFB (Remote Framebuffer) protocol provide graphical remote desktop access and are widely deployed across enterprise, development, and administrative environments. Because VNC is often exposed directly to the Internet, whether intentionally or through misconfiguration, it represents a persistent and consequential attack surface. This paper analyzes VNC scanning and attack patterns using passive observation data from the Dataplane.org vncrfb signal feed, and provides practical defensive guidance for operators.
Background
VNC uses the RFB protocol (RFC 6143) to transmit framebuffer updates and input events between a server and client. Authentication in standard VNC implementations uses a simple challenge-response mechanism based on a shared password (VNC Authentication, security type 2). This mechanism has several weaknesses:
- No account lockout: Most VNC implementations do not enforce lockout after failed authentication attempts by default
- Weak cipher: VNC Authentication uses DES with a server-sent 16-byte challenge, which is vulnerable to offline cracking if network traffic is captured
- Single factor: Standard VNC provides no multi-factor option
- No transport encryption: Classic RFB provides no encryption beyond the authentication exchange; screen content, keyboard input, and clipboard data are transmitted in cleartext unless tunneled through SSH or a VPN
These properties make exposed VNC servers attractive targets for automated scanning, brute-force, and credential stuffing.
Observations from Sensor Data
The Dataplane.org vncrfb feed captures source IPs observed initiating the RFB protocol handshake with sensor infrastructure. This includes the TCP connection on port 5900 (the standard VNC port) and at least the RFB ProtocolVersion message exchange.
Source Volume
Dataplane.org sensors observe between 3,000 and 8,500 unique source IPs initiating VNC RFB connections per day. Volume spikes correlate with:
- Publication of new VNC vulnerability disclosures
- Botnet-driven mass scanning campaigns
- Publication of default credential lists for new device categories
Scanning Infrastructure
The source IP distribution for VNC scanning is distinct from SSH scanning:
- A higher proportion of VNC scanning originates from dedicated scanning infrastructure (large cloud provider blocks, known security research and mass-scanning ASNs like Shodan, Censys, and similar platforms)
- A meaningful fraction originates from previously compromised hosts being used as scanning pivots
- Residential broadband origin is less prevalent than for SSH, suggesting a different attacker profile: more targeted or research-oriented, less opportunistic botnet-driven
Geographic Distribution
Source IPs are concentrated in:
- North American cloud hosting (AWS us-east, GCP, Azure)
- European hosting (OVH, Hetzner, Leaseweb)
- Asian hosting (Alibaba Cloud, Tencent, Korea Telecom)
Authentication Behavior
Of connections that advance past the initial RFB handshake, most attempt VNC Authentication (security type 2). A subset probe for:
- None authentication (security type 1): indicating misconfigured “no password” VNC servers
- Apple Remote Desktop authentication: indicating opportunistic probing for macOS ARD
- TLSv1 security types (18/19): indicating capability testing or probing for VNC/TLS configurations
Threat Categories
Mass Credential Scanning
The most common threat: automated scanning that connects to port 5900, performs the RFB handshake, and attempts a fixed list of common VNC passwords (password, vnc, 1234, admin, root, empty string, device manufacturer defaults). These scans typically do not maintain persistence; they record successful auths for later exploitation.
Targeted Exploitation
Specific CVEs in VNC implementations have enabled authentication bypass or remote code execution. Notable examples include:
- CVE-2019-15681 (LibVNCServer): Memory leak allowing unauthenticated information disclosure
- CVE-2020-14397/14398/14399/14400/14401/14402 (LibVNCServer): Multiple memory corruption issues
- CVE-2019-0887 (Windows RDP/VNC combination attacks): Clipboard-based path traversal
- UltraVNC multiple CVEs: Authentication bypass and buffer overflow vulnerabilities
Scanning for these vulnerabilities is observable in RFB handshake patterns, specifically in the security type negotiation sequence.
Post-Compromise Lateral Movement
Compromised hosts are commonly used to scan internal networks for VNC access. Traffic patterns characteristic of lateral movement VNC scanning differ from external scanning: higher connection rates per source IP, narrower target port ranges, and source IPs from RFC 1918 address space.
Defensive Countermeasures
Never Expose VNC Directly to the Internet
The most important control. VNC was designed for LAN use and should never have a direct Internet-facing listener. Use an authenticated tunnel (SSH port forwarding, a VPN, or a zero-trust access solution) to access VNC over untrusted networks.
# Correct: SSH tunnel to VNC
ssh -L 5901:localhost:5900 user@remote-host
# Then connect your VNC client to localhost:5901
Bind VNC to localhost only (-localhost flag in most VNC servers) to prevent any direct external access.
Firewall Rules
If VNC must be network-accessible, restrict it to specific source IPs:
# Allow VNC only from management IP range
iptables -A INPUT -p tcp --dport 5900 -s 203.0.113.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 5900 -j DROP
Strong Authentication
- Set a strong, unique VNC password (8+ characters, mixed case and symbols)
- Prefer VNC implementations with stronger authentication options (NLA, TLS, or integrated with system authentication)
- Consider TigerVNC with VeNCrypt for TLS-wrapped, username+password authentication
VNC Authentication Rate Limiting
Most VNC servers support a delay-after-failure mechanism. Configure it:
# In ~/.vnc/config or /etc/vnc/config:
BlacklistThreshold=5
BlacklistTimeout=3600
Some distributions default to very short blacklist timeouts or no blacklisting at all.
Signal-Feed-Based Blocking
The Dataplane.org vncrfb feed provides IPs observed initiating RFB handshakes. These can be applied as a defensive blocklist:
# Download and apply VNC scanner blocklist
wget -q https://dataplane.org/vncrfb.txt -O /tmp/vncrfb.txt
ipset create vncrfb hash:ip
while read ip; do
[[ "$ip" =~ ^#|^$ ]] && continue
ipset add vncrfb "$ip" 2>/dev/null
done < /tmp/vncrfb.txt
iptables -I INPUT -m set --match-set vncrfb src -p tcp --dport 5900 -j DROP
Patching and Software Selection
- Keep VNC server software current; most CVEs are patched promptly in maintained implementations
- Prefer actively maintained forks: TigerVNC, TurboVNC, or LibVNCServer-based software with recent patches
- Avoid legacy, unmaintained VNC server software (old UltraVNC versions, RealVNC versions prior to 6.x)
Monitoring and Detection
Enable logging for VNC authentication failures. A single external IP attempting more than 3 connections per minute to port 5900 is a reliable indicator of automated scanning. Integrate with SIEM or log management:
- Log connection attempts at the firewall level
- Alert on authentication failures exceeding a threshold
- Correlate source IPs against Dataplane.org
vncrfbfeed entries for rapid context
Conclusion
VNC scanning and credential attacks are a persistent, automated phenomenon driven by both opportunistic botnets and more targeted security research infrastructure. The VNC RFB protocol’s weak default authentication, common misconfiguration patterns (public exposure, no password, default credentials), and history of implementation CVEs make it a consistently attractive target.
The most effective defense is architectural: do not expose VNC to untrusted networks. For operators who cannot immediately change their exposure model, the following layered countermeasures meaningfully reduce risk: strong credentials, rate limiting, source IP restriction, and signal-feed-based blocking.
Data used in this analysis was collected passively by Dataplane.org sensor infrastructure on port 5900. No active probing or exploitation was performed. The vncrfb feed is available as a free daily download at dataplane.org/vncrfb.txt.