Millions of remote access RDP and VNC servers are exposed to the internet, and hundreds of them may provide access to industrial control systems (ICS) and other operational technology (OT), according to research by Forescout.
RDP (Remote Desktop Protocol) and VNC (Virtual Network Computing) are widely used for remote access, but they should not be exposed directly to the open internet without a secure gateway.
A Shodan search shows roughly 1.8 million RDP and 1.6 million VNC servers exposed on the internet, a majority in China and the United States. Forescout has determined that the majority are honeypots, ISPs, and hosting providers, but its researchers still found 91,000 RDP and 29,000 VNC servers that could be linked to specific industries.
A significant percentage of exposed servers is hosted by organizations in the retail, education, services, manufacturing, and healthcare sectors.
An analysis showed that many of the exposed servers run Windows versions that reached end of life or end of support. More than 19,000 RDP servers are vulnerable to the old vulnerability named BlueKeep, which has been exploited by a wide range of threat actors.
In addition, nearly 60,000 VNC servers do not have authentication enabled. One of the most concerning findings is that 670 of these VNC servers provide direct access to ICS/OT panels without authentication.
Access to these cyber-physical systems (CPS) can be highly valuable to attackers, and the threat is not only theoretical.
Forescout pointed out that Russia-linked hackers have been known to target OT systems via VNC, as warned by government agencies in December 2025.
One Russia-linked group, known as Infrastructure Destruction Squad (IDS) and Dark Engine, recently shared a tool designed to scan for RDP, VNC, and OT-specific protocols.
“On February 23, the group shared a video of a purportedly compromised groundwater pumping station in Israel that it said was found with this tool. On March 9, the group shared another example of the tool being run against a specific target set, including a VNC screenshot of a control system in Turkey,” Forescout said, adding, “Between these two posts, the group also advertised the sale of access to an exposed SCADA system in Czechia.”
In addition to these attacks, the cybersecurity firm noted that profit-driven cybercriminals have been abusing RDP for ransomware deployment, and that the Redheberg botnet has infected nearly 40,000 exposed VNC servers since February.
Organizations can mitigate these risks by using dedicated secure remote access solutions, including ones designed specifically for accessing sensitive CPS.
Related: Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Hacking
Related: ZionSiphon Malware Targets ICS in Water Facilities
Related: CISA Warns of ScadaBR Vulnerability After Hacktivist ICS Attack
Related: ICS Devices Bricked Following Russia-Linked Intrusion Into Polish Power Grid
