Full Report
New research from Forescout Technologies highlights scale and risk of insecure remote access across industrial and enterprise environments,... The post Forescout finds 3.4 million RDP and VNC servers exposed, raising risks to OT and enterprise networks appeared first on Industrial Cyber.
Analysis Summary
# Research: Forescout finds 3.4 million RDP and VNC servers exposed, raising risks to OT and enterprise networks
## Metadata
- **Authors:** Vedere Labs Researchers
- **Institution:** Forescout Technologies
- **Publication:** Industrial Cyber (Summarizing Forescout Research)
- **Date:** May 1, 2026
## Abstract
This research highlights the critical scale of insecure remote access protocols—specifically Remote Desktop Protocol (RDP) and Virtual Network Computing (VNC)—exposed across global industrial and enterprise environments. The study identifies 3.4 million exposed servers, many of which lack basic authentication or run on end-of-life (EoL) software. The findings illustrate a significant threat to Cyber-Physical Systems (CPS) and Operational Technology (OT), where legacy architectures and "shadow" access points create unmanaged entry points for threat actors and botnets.
## Research Objective
The research aims to quantify the global exposure of RDP and VNC servers, evaluate the security posture of these exposed assets (particularly in critical infrastructure), and analyze the associated threat landscape involving botnets and hacktivism.
## Methodology
### Approach
The researchers utilized internet-wide scanning and telemetry analysis to identify exposed ports and services. They mapped discovered assets to specific industries and geographic locations and performed vulnerability assessments against known flaws and configuration errors.
### Dataset/Environment
- **Primary Data:** 1.8 million exposed RDP servers and 1.6 million exposed VNC servers.
- **Scope:** Global coverage with deep dives into China, the U.S., and Germany.
- **Industry Verticals:** Retail, Education, Healthcare, Manufacturing, Transportation, and Utilities.
### Tools & Technologies
- **Scanning:** Shodan (for identifying publicly accessible servers).
- **Vulnerability Context:** Analysis of the "BlueKeep" vulnerability (CVE-2019-0708) and VNC authentication bypasses.
- **Threat Intelligence:** Monitoring of the REDHEBERG botnet and dark-web/hacktivist forums.
## Key Findings
### Primary Results
1. **Massive Global Exposure:** 3.4 million remote access servers are reachable via the public internet.
2. **Prevalence of Legacy Systems:** 18% of exposed RDP servers run end-of-life Windows systems; an additional 42% run Windows 10 (approaching/at end of support).
3. **Critical Authentication Gaps:** Nearly 60,000 VNC servers have authentication completely disabled, including 670 directly linked to OT/ICS control panels.
4. **Geographic Concentration:** China and the U.S. account for the vast majority of exposures (e.g., China hosts 70% of exposed VNC servers).
### Supporting Evidence
- **BlueKeep Risk:** Over 19,000 RDP servers remain unpatched for the critical BlueKeep flaw years after its disclosure.
- **Active Exploitation:** The REDHEBERG botnet has successfully infected approximately 40,000 VNC assets since February 2026.
### Novel Contributions
- Identifies the specific intersection between **General IT exposure** and **OT/CPS risk**, highlighting that insecure-by-design industrial components are being managed through equally insecure remote access models.
- Documents the trend of "shadow access" pathways—unauthorized entry points created by third-party contractors and OEMs that bypass formal security governance.
## Technical Details
The research emphasizes that CPS environments suffer from "Insecure-by-Design" functionality. Unlike modern IT environments, these systems often lack native identity and access management (IAM). When combined with "Jump Hosts" or VPNs—which typically grant broad, persistent network trust rather than granular, session-based access—a single compromised VNC/RDP credential can lead to total control over physical processes (HMIs and PLCs).
## Practical Implications
### For Security Practitioners
- **Eliminate Shadow Access:** Conduct audits to identify undocumented remote access points installed by vendors or contractors.
- **Transition to SRA:** Move away from traditional VPNs and jump hosts toward Secure Remote Access (SRA) solutions that enforce zero-trust principles.
### For Defenders
- **Disable Insecure Protocols:** Disable RDP/VNC on internet-facing assets immediately; use gateway protections (e.g., RD Gateway with MFA) if the protocol is necessary.
- **Patch Management:** Prioritize patching BlueKeep and upgrading EoL Windows instances.
- **Monitor for REDHEBERG:** Check logs for indicators of compromise (IoCs) related to the REDHEBERG botnet.
### For Researchers
- Focus on the automation of discovering "hidden" OT protocols tunneled through standard IT remote access ports.
## Limitations
- The research relies heavily on Shodan data, which captures a snapshot of the internet and may miss assets behind dynamic IPs or certain non-standard configurations.
- Industry mapping based on IP addresses can occasionally lead to misclassification if companies use generic cloud service providers.
## Comparison to Prior Work
Building on Project **OT:ICEFALL**, this research shifts focus from the vulnerabilities within the industrial controllers themselves to the **access pathways** used to reach them. It demonstrates that while OT protocols are becoming more secure, the "front door" (RDP/VNC) remains wide open.
## Real-world Applications
- **Use Case:** Critical infrastructure providers can use these findings to justify investments in Zero Trust Network Access (ZTNA) to regulatory boards.
- **Implementation:** Organizations should implement granular session visibility to record what actions remote users take while connected to HMIs.
## Future Work
- Analysis of AI-driven tools used by threat actors to automatically exploit these 3.4 million exposed servers.
- Evaluating the effectiveness of "Secure-by-Design" mandates in reducing the footprint of exposed OT interfaces.
## References
- Forescout Research: Vedere Labs (VNC/RDP Exposure Report 2026)
- OT:ICEFALL Research (Forescout)
- CISA Zero Trust Roadmap for OT Environments (Related Guidance)