New research from Forescout Technologies highlights scale and risk of insecure remote access across industrial and enterprise environments, with 1.8 million Remote Desktop Protocol (RDP) and 1.6 million Virtual Network Computing (VNC) servers exposed to the internet. China accounts for 22% of exposed RDP servers and 70% of VNC, followed by the U.S. with 20% and 7%, and Germany with 8% and 2%. Industry mapping shows that retail, services, and education lead RDP exposure, while education, services, and healthcare dominate VNC exposure, with manufacturing, transportation, and utilities also significantly affected.
The findings underscore persistent security gaps, including 18% of exposed RDP servers running end-of-life Windows systems and another 42% on Windows 10, which recently reached end of support. More than 19,000 RDP servers remain vulnerable to the critical BlueKeep flaw, while nearly 60,000 VNC servers have authentication disabled, including over 670 directly connected to OT (operational technology) and ICS (industrial control systems) control panels. Threat activity is also intensifying, with hacktivist groups sharing tools to identify vulnerable systems and selling access, and the REDHEBERG botnet infecting nearly 40,000 exposed VNC assets since February.
Through its Forescout Research – Vedere Labs, the team examines risks and threats affecting another common remote-access model: jump hosts and human-machine interfaces (HMIs) exposed through RDP and VNC. It analyzed global attack surface, highlighted examples from the current threat landscape, and explained why modern secure remote access (SRA) is needed in Cyber-Physical Systems (CPS) networks.
“CPS environments were not designed for remote access. Many of these systems lack the native identity, authentication, and authorization controls required for safe remote operations. We explored some of this insecure-by-design functionality in operational technology (OT) in our previous OT:ICEFALL research,” researchers from Vedere Labs detailed in a blog post this week. “Remote access is also one of the least governed paths into CPS environments because of the continued use of VPNs and jump hosts. Once connected through these methods, users often gain broad, persistent access.”
Several factors compound the risks associated with remote access in industrial environments. Traditional approaches such as VPNs and jump hosts tend to extend network trust rather than enforce granular control, often relying on shared or persistent credentials that increase the potential impact of a breach. At the same time, undocumented and shadow access pathways created by OEMs, contractors, and ad hoc connections frequently operate without formal oversight, introducing unmanaged entry points into cyber-physical systems.
These risks are further amplified by the use of legacy and proprietary protocols that were not designed for remote connectivity, making systems more vulnerable to misconfiguration, unauthorized changes, and disruption. Limited session visibility also weakens governance, as organizations often lack clear insight into who accessed critical systems, whether access was properly authorized, and what actions were taken.
Using Shodan data, more than 1.8 million RDP servers and over 1.6 million VNC servers are currently exposed on the internet, with distribution spanning globally. China accounts for 22% of exposed RDP servers and 70% of exposed VNC servers, while the United States represents 20% and 7%, respectively. Germany follows with 8% of exposed RDP servers and 2% of exposed VNC servers.
“Some of these systems are honeypots, and not all provide access to enterprise networks,” Forescout disclosed. “To reduce that noise, we map exposed instances to specific industries using Autonomous System Numbers (ASNs) from the public Stanford ASdb dataset. Most ASNs associated with these exposed servers belong to ISPs or hosting providers which cannot be mapped to a specific industry. Many honeypots are also likely to be deployed on those ASNs. After excluding them, we identified 91,000 exposed RDP servers and 29,000 exposed VNC servers that could be categorized by industry.”
On exposed VNC, education leads all sectors in exposed VNC instances at 28%, followed by services at 22% and healthcare at 17%. Retail accounts for 9% of exposed VNC, while manufacturing represents 6%. Real estate, transportation, and logistics each account for 3%, with financial services at 1% and government at less than 1%. The remaining 11% falls across other industries.
On exposed RDP, retail holds the largest share of exposed RDP instances at 32%, with services close behind at 23%. Education and manufacturing round out the top four, at 16% and 15% respectively. Real estate accounts for 3%, while healthcare, financial services, and transportation and logistics each represent 2% or less. Utilities account for less than 1% of exposed RDP, with the remaining 6% spread across other sectors.
The researchers note that exposure volume alone does not define risk, as different sectors face distinct operational realities. Transportation environments are typically multi-vendor and require access for multiple third parties, which complicates remote access management. Manufacturing organizations remain attractive targets for ransomware, with RDP frequently used as an entry point in past intrusions. Water utilities are often targeted by hacktivists and commonly operate under budget constraints that limit their ability to invest in robust security measures.
Vedere Labs detailed that hacktivist activity targeting critical infrastructure has intensified since Russia invaded Ukraine in 2022 and more recently following the escalation of conflict in the Middle East in February 2026. “Last December, CISA and several international agencies published a joint advisory on pro-Russian hacktivists targeting VNC. The advisory described common TTPs, including scanning the internet for exposed VNC servers and brute-forcing passwords. It specifically named four groups active against the US: Cyber Army of Russia Reborn (CARR), NoName057(16), Z-Pentest, and Sector16.”
Z-Pentest is a large alliance of hacktivist groups that includes the Infrastructure Destruction Squad (IDS), also known as Dark Engine. This group frequently develops custom tooling and shares it with other groups. Several of its tools appear AI-generated, so their efficacy is questionable. Yet, a recent example shows explicit interest in VNC. On February 7, IDS shared the TRK25 ADVANCED SCADA tool, including full source code, on its Telegram channel.
The source code shows that the tool is a GUI-based scanner designed to probe specific ports associated with industrial protocols across attacker-defined IP ranges. It targets both RDP and VNC, along with OT-specific protocols such as Modbus and OPC, and includes functionality to capture screenshots of scanned systems.
The code also contains placeholder IP ranges for Russia, Ukraine, Germany, the United States, and China, suggesting that some regions may have been excluded from scanning while others were intended as targets. In addition, a list of 50 custom IP addresses appears to have been used for testing or operational activity. Analysis of this list on March 20 found that 18 hosts were offline, while 32 were online, including 12 in South Korea, 9 in Turkey, 4 in France, 2 in Taiwan, and 5 distributed across Australia, Brazil, Canada, Estonia, and Greece. Of the active hosts, 19 were found to have exposed VNC servers.
“On February 23, the group shared a video of a purportedly compromised groundwater pumping station in Israel that it said was found with this tool. On March 9, the group shared another example of the tool being run against a specific target set, including a VNC screenshot of a control system in Turkey,” Vedere Labs disclosed. “Between these two posts, the group also advertised the sale of access to an exposed SCADA system in Czechia, shown in the screenshot below. Announcements like this are becoming more common among hacktivist groups. Why? It is possible this method is a way to monetize targets with lower strategic value. This reflects an initial access broker model long familiar in IT and increasingly relevant in OT.”
The research added “unrelated to VNC, the group also advertised a ransomware builder called $$BLACKNET-00$$ for $500. An example of a simple Python-based ransomware sample created by the tool can be found on VirusTotal. The group shared an image of the sample on VirusTotal but redacted the hash. We were able to identify it based on file contents. The file was submitted to VirusTotal only once, on March 10, the same day that it was announced on Telegram from Egypt — although the group may have used a proxy in that country.”
Vedere Labs detailed that mitigating these risks requires a fundamentally different approach to remote access. “In CPS environments, secure remote access should function as a controlled operational workflow, not only a network connection. Every action in CPS can have physical and safety implications. Access should be governed with the same rigor as procedures on the plant floor. Rather than placing a user directly on an OT network, modern SRA inserts a control plane between users, networks, and assets, so that access is deliberate, contextual, and auditable.”
The post added, “Implementing SRA starts with continuous, real-time visibility into every asset on the network. When organizations understand what assets exist, where they are, how they are behaving, and whether they are in an acceptable security posture, access decisions can be based on live asset intelligence rather than static inventories or assumptions.”
Using that context, an SRA gateway, such as the recently launched Forescout SRA can mediate each interaction between a user and an OT asset. Users do not communicate directly with PLCs, HMIs, or engineering workstations. Instead, the gateway isolates sessions and renders them as secure, browser-delivered image streams. The user sees pixels, not protocols, which reduces exposure of fragile protocols, such as RDP, SSH, VNC, or proprietary control traffic.
Forescout also warned that insecure remote access remains one of the most overlooked and dangerous exposure points in industrial networks, as organizations continue to connect OT systems for remote monitoring and operations without adequate safeguards. The analysis highlights how widely used remote access technologies, including RDP and VNC, are often exposed directly to the internet, creating entry points that attackers can exploit to gain footholds in critical infrastructure environments. Once inside, adversaries can move laterally across IT and OT systems, increasing the risk of operational disruption, data compromise, and potential control over physical processes.
“The geography changes. The industry changes. The maturity level changes,” Massimiliano Mandolini wrote in a Forescout blog post this week. “One thing never does: every single one had an unsecured remote connection – sometimes more than one – sitting quietly on their network. And every single time I pointed it out, the room reacted the same way. No alarm. No embarrassment. Just a calm, almost bored explanation: ‘Oh yes, that’s vendor X — they’ve been connecting remotely to monitor our DCS for years.’ ‘That’s our trusted system integrator; they need it for remote maintenance.’”
He added that as if naming it made it safe … “As if the fact that everyone in the room already knew about it meant someone had already decided it was fine. Nobody had.”
Mandolini added that what makes it even more striking is that the same people had just spent thirty minutes on advanced threat scenarios, sophisticated attacks, and complex, highly unlikely vectors, while an unsecured connection with unrestricted network access didn’t make the list. “Secure Remote Access (SRA) doesn’t appear often on the priority list. But it appears constantly in the news — just under a different label: ‘unauthorized access,’ ‘internet connection exploited,’ ‘compromised credentials.’”
