HIGH: Accessible VNC Report

DESCRIPTION LAST UPDATED: 2025-05-01

DEFAULT SEVERITY LEVEL: HIGH

This report identifies hosts that have a VNC instance running on ports 5900-5905, 5800-5805, 6000, 17689 that are accessible on the IPv4 Internet. For IPv6 we currently scan 5900 and 5901 only.

If improperly configured, VNC may allow remote access to a desktop in an unintended manner.

We also added detection of VNC instances without any authentication (starting 2025-05-01). These instances are additionally tagged vnc-unauth.

You can track VNC scan results on our Dashboard.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

This report has an IPv4 and IPv6 version.

Filename(s): scan_vnc, scan6_vnc

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the response came on (always TCP)
  • port
    Port that the response came from
  • hostname
    Reverse DNS name of the device in question
  • tag
    This will always be vnc and may also include vnc-unauth
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • product
    The product name and version of the VNC server, if we know what it is
  • banner
    The raw response from the VNC server
  • sector
    Sector the IP belongs to

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","product","banner","sector"
"2010-02-10 00:00:00",high,192.168.0.1,tcp,5900,node01.example.com,vnc,64512,ZZ,Region,City,0,,"RealVNC Enterprise protocol 4.1","RFB 004.001","Communications, Service Provider, and Hosting Service"
"2010-02-10 00:00:01",high,192.168.0.2,tcp,5900,node02.example.com,vnc,64512,ZZ,Region,City,0,ptr,"RealVNC Enterprise v5.3 or later","RFB 005.000","Communications, Service Provider, and Hosting Service"
"2010-02-10 00:00:02",high,192.168.0.3,tcp,5900,node03.example.com,vnc,64512,ZZ,Region,City,0,,,"RFB 003.008",

Our 135 Report Types

« Back to Network Reporting