Forescout’s 2026 Riskiest Connected Devices report has identified hundreds of internet-facing VNC and RDP servers that can be directly mapped to specific critical industries, including manufacturing, energy, and water utilities — leaving operational technology environments open to remote access by anyone with a network scanner.
Exposed VNC Servers ICS OT: What We Know So Far
The findings come from Forescout’s Vedere Labs research team, which analyzed device exposure across tens of thousands of enterprise and industrial networks. While RDP and SMB usage has stabilized or declined across standard IT environments, the researchers found that remote access protocols — particularly VNC — remain dangerously common on operational technology assets that were never designed to face the public internet.
Forescout found that SSH and Telnet connections are rising in OT and IoT environments, a signal that legacy administration interfaces are being left exposed as organizations retrofit older industrial hardware into connected networks. The scale of the problem is significant: the research identified tens of thousands of devices with exposed Telnet servers alone on the open internet, with an estimated two to three tens of thousands of serial device servers inadvisably discoverable via standard scanning tools.
VNC (Virtual Network Computing) presents a particularly acute risk in ICS/OT environments because many industrial human-machine interfaces (HMIs) and SCADA workstations use VNC as a built-in remote access mechanism — often with weak or default credentials. Unlike enterprise endpoints, these systems frequently run outdated operating systems and are rarely patched, since downtime for patching can mean production shutdowns worth millions of dollars.
The Forescout report also highlights that ICS cybersecurity risk hit a record in 2025, with 508 advisories covering 2,155 vulnerabilities — the highest volume since tracking began, and a sharp rise in high-severity flaws affecting field controllers, PLCs, and SCADA systems. The exposure of VNC servers to the internet represents the most direct attack path to these assets.
Iran-affiliated and China-nexus threat actors have both demonstrated in recent months that internet-facing OT devices are prime targets. CISA advisories published in April 2026 documented active Iranian exploitation of internet-exposed Rockwell Automation PLCs using Logix Designer software to extract project files and manipulate SCADA displays. VNC servers on the same network segment as those PLCs represent an equivalent or greater risk.
Attackers who gain access to an ICS/OT environment via an exposed VNC server can observe and manipulate physical processes, disable safety systems, or implant persistent access tools. In sectors such as water treatment, energy distribution, and chemical manufacturing, this translates directly to public safety risk.
Why Exposed VNC Servers ICS OT Matters
The problem is not new, but the 2026 Forescout data shows it has not improved. Security teams in IT organizations have largely eliminated unauthorized RDP and VNC exposure through firewall policy and network segmentation. In OT environments, the same discipline has not taken hold — partly because OT networks are managed by engineering teams rather than security teams, and partly because many industrial devices were deployed before network security was a design consideration.
Threat actors know this. Public scanning data from tools like Shodan and Censys consistently surfaces thousands of VNC endpoints on industrial IP ranges. Nation-state actors and ransomware operators have both used exposed remote access protocols as initial access vectors into manufacturing and utility networks. In at least two high-profile ICS incidents in recent years, the initial foothold was an internet-facing VNC session with weak credentials.
The Forescout mapping capability — associating exposed servers with specific industries — is significant for defenders. It means asset owners can now receive targeted alerts when their IP ranges appear in exposure data, rather than relying on periodic manual scans.
Exposed VNC Servers ICS OT: What You Should Do Now
- Enumerate all VNC and RDP listeners in your OT network. Run a port scan against your industrial IP ranges for ports 5900–5909 (VNC) and 3389 (RDP). Any result that is not explicitly authorized and documented is a finding. Tools like
nmap -sV -p 5900-5909,3389 <OT_range>will surface listeners quickly.
- Block VNC and RDP from reaching the internet at the perimeter firewall. There is no operational justification for VNC to be directly internet-accessible. If remote access to OT systems is required, route it through a jump host or VPN with multi-factor authentication.
- Check for default and weak credentials. Many HMIs ship with VNC enabled and a default password (often blank, “admin”, or the model number). Use your asset management system or scanner to identify VNC-enabled devices, then audit credentials against a known-weak list.
- Patch or replace systems running end-of-life OS. Windows XP and Windows 7 remain common in OT environments. These operating systems have no patch support and multiple known VNC implementation vulnerabilities. If replacement is not immediately possible, isolate the device to a restricted VLAN with no internet path.
- Implement network segmentation between IT and OT. A flat network where IT and OT share the same subnet is the root cause of most ICS exposure incidents. Enforce a DMZ or data diode between IT and OT, and require explicit firewall rules for any cross-boundary traffic.
- Monitor VNC sessions for anomalous activity. If VNC is legitimately used internally, log connection attempts and alert on authentication failures or connections from unexpected source IPs. Most VNC implementations support logging to syslog.
Detection and Verification Checklist
- Run Shodan or Censys query for your organization’s AS number or IP ranges:
port:5900,5901 org:"YourOrg"— any results indicate externally visible VNC. - Check your firewall egress and ingress rules for explicit VNC (5900-5909) allow rules.
- Review your OT asset inventory for devices with VNC enabled — HMI vendors including Siemens, Schneier Electric, Rockwell, and GE Vernova commonly ship with VNC.
- Verify your VPN solution is enforcing MFA for all OT remote access sessions.
- Cross-reference exposed IP ranges with Forescout’s report findings if you have a Forescout deployment — the platform’s device classification can identify OT assets with remote access exposure.
— Sources: SecurityWeek, Forescout 2026 Riskiest Connected Devices Report, Industrial Cyber — Forescout OT/ICS Report
For any query contact us at contact@cipherssecurity.com
