HUNDREDS of Internet-facing VNC servers expose ICS/OT, with Forescout identifying tens of thousands of exposed RDP and VNC servers that can be mapped to specific industries. A Shodan search shows roughly 1.8 million RDP and 1.6 million VNC servers exposed on the internet, with the majority in China and the United States, of which 91,000 RDP and 29,000 VNC servers could be linked to specific industries.
More than 19,000 RDP servers are vulnerable to the old BlueKeep vulnerability, and nearly 60,000 VNC servers do not have authentication enabled, with 670 VNC servers providing direct access to ICS/OT panels without authentication. Russia-linked hackers have been known to target OT systems via VNC, and a group known as Infrastructure Destruction Squad and Dark Engine has shared a tool to scan for RDP, VNC and OT protocols, accompanied by a video of a compromised groundwater pumping station.
The Redheberg botnet has infected nearly 40,000 exposed VNC servers since February, underscoring why organisations should deploy dedicated secure remote access solutions, according to Forescout. 29 April 2026.