{
	"id": "a7234cd1-04ba-4f78-b1a8-e22e88efe7c8",
	"created_at": "2026-04-06T00:13:49.500513Z",
	"updated_at": "2026-04-10T03:23:52.033131Z",
	"deleted_at": null,
	"sha1_hash": "41984c4b7f701738bab2984cade9f4fe075a648b",
	"title": "Dozens of VNC Vulnerabilities Found in Linux, Windows Solutions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1038372,
	"plain_text": "Dozens of VNC Vulnerabilities Found in Linux, Windows Solutions\r\nBy Sergiu Gatlan\r\nPublished: 2019-11-22 · Archived: 2026-04-05 12:40:58 UTC\r\nResearchers found a total of 37 security vulnerabilities impacting four open-source Virtual Network Computing (VNC)\r\nimplementations and present for the last 20 years, since 1999.\r\nThe flaws were found in LibVNC, TightVNC 1.X, TurboVNC, and UltraVNC VNC solutions examined by Kaspersky's\r\nIndustrial Systems Emergency Response Team (ICS CERT) security researcher Pavel Cheremushkin — the highly popular\r\nRealVNC as not analyzed because it did not allow reverse engineering.\r\nThese VNC systems can be used on a wide range of operating systems including but not limited to Windows, Linux,\r\nmacOS, iOS, and Android.\r\nhttps://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nA VNC implementation consists of two parts, a client and a server, allowing the users to remotely access a machine running\r\nthe VNC server with the help of a VNC client using the RFB protocol to transmit \"screen images, mouse movement and\r\nkeypress events\".\r\nYou can find more details about VNC implementations analyzed by Cheremushkin below:\r\nLibVNC – an open-source cross-platform library for creating a custom application based on the RFB\r\nprotocol. The server component of LibVNC is used, for example, in VirtualBox to provide access to the\r\nvirtual machine via VNC.\r\nUltraVNC – a popular open-source VNC implementation developed specifically for Windows.\r\nRecommended by many industrial automation companies for connecting to remote HMI interfaces over\r\nthe RFB protocol.\r\nTightVNC 1.X – one more popular implementation of the RFB protocol. Recommended by many\r\nindustrial automation system vendors for connecting to HMI interfaces from *nix machines.\r\nTurboVNC – an open-source VNC implementation. Uses the libjpeg-turbo library to compress JPEG\r\nimages in order to accelerate image transfer.\r\nOver 600,000 VNC servers potentially exposed\r\nBased on this information, Kaspersky's ICS CERT researcher discovered over 600,000 VNC servers that can be accessed\r\nremotely over the Internet based on the info collected using the Shodan search engine for Internet-connected devices — this\r\nestimation doesn't cover the VNC servers running on local area networks.\r\nThe VNC security flaws Cheremushkin found are all caused by incorrect memory usage, with attacks exploiting them\r\nleading to denial of service states, malfunctions, as well as unauthorized access to the users' info and the option to run\r\nmalicious code on a target's device.\r\n\"Although our colleagues’ focus was on the use of VNC in industrial enterprises, the threats are relevant to any business that\r\ndeploys this technology,\" the Kaspersky report adds.\r\nWhile most of the VNC memory corruption vulnerabilities disclosed by the researchers to the development teams were\r\nfixed, in some cases they haven't been addressed to this day.\r\nThis is the case of TightVNC 1.X, whose developers said that they won't fix the found security issues since the software's\r\nfirst version is \"no longer support the first version of their system [..].\" They currently maintain the TightVNC 2.X\r\ncommercial product.\r\nBugs found in VNC solutions\r\nCheremushkin found heap-based buffer overflows in the LibVNC library that could potentially allow attackers \"to bypass\r\nASLR and use overflow to achieve remote code execution on the client.\"\r\nTightVNC came with a null pointer dereference leading to Denial of System (DoS) states, as well as two heap buffer\r\noverflows and a global buffer overflow that could lead to remote code execution. As already mentioned above, these security\r\nissues will not be fixed.\r\nA stack buffer overflow vulnerability was discovered in the TurboVNC server the might lead to remote code execution,\r\nalthough it requires authorization on the server or control over the VNC client before the connection.\r\nWhen it comes to UltraVNC, the researcher says that he was able to discover \"an entire 'zoo' of vulnerabilities in UltraVNC\r\n– from trivial buffer overflows in strcpy and sprintf to more or less curious vulnerabilities that can rarely be encountered in\r\nreal-world projects.\"\r\nOut of all UltraVNC flaws he spotted, the buffer underflow one tracked as CVE-2018-15361 that can trigger a DoS in 100%\r\nof attacks but can also be used for remote code execution. The CVE-2019-8262 one is assigned to multiple heap buffer\r\noverflow vulnerabilities that can result in remote code execution.\r\nhttps://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/\r\nPage 3 of 5\n\nThe full list of discovered VNC vulnerabilities found by Kaspersky's Pavel Cheremushkin are listed in the table below:\r\nVNC implementation Vulnerabilities\r\nLibVNC\r\nCVE-2018-6307\r\nCVE-2018-15126\r\nCVE-2018-15127\r\nCVE-2018-20019\r\nCVE-2018-20020\r\nCVE-2018-20021\r\nCVE-2018-20022\r\nCVE-2018-20023\r\nCVE-2018-20024\r\nCVE-2019-15681\r\nTightVNC 1.X\r\nCVE-2019-8287\r\nCVE-2019-15678\r\nCVE-2019-15679\r\nCVE-2019-15680\r\nTurboVNC CVE-2019-15683\r\nUltraVNC\r\nCVE-2018-15361\r\nCVE-2019-8258\r\nCVE-2019-8259\r\nCVE-2019-8260\r\nCVE-2019-8261\r\nCVE-2019-8262\r\nCVE-2019-8263\r\nCVE-2019-8264\r\nCVE-2019-8265\r\nCVE-2019-8266\r\nCVE-2019-8267\r\nCVE-2019-8268\r\nCVE-2019-8269\r\nCVE-2019-8270\r\nCVE-2019-8271\r\nCVE-2019-8272\r\nCVE-2019-8273\r\nCVE-2019-8274\r\nCVE-2019-8275\r\nCVE-2019-8276\r\nCVE-2019-8277\r\nCVE-2019-8280\r\n\"On the positive side, password authentication is often required to exploit server-side vulnerabilities, and the server may not\r\nallow users to configure a password-free authentication method for security reasons. This is the case, for example, with\r\nUltraVNC,\" Cheremushkin concluded.\r\nhttps://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/\r\nPage 4 of 5\n\n'As a safeguard against attacks, clients should not connect to unknown VNC servers and administrators should configure\r\nauthentication on the server using a unique strong password.\"\r\nKaspersky provides the following recommendations to block attackers from exploiting these VNC security flaws:\r\n• Check which devices can connect remotely, and block remote connections if not required.\r\n• Inventory all remote access applications — not just VNC — and check that their versions are up-to-date. If you have\r\ndoubts about their reliability, stop using them. If you intend to continue deploying them, be sure to upgrade to the latest\r\nversion.\r\n• Protect your VNC servers with a strong password. This will make attacking them far harder.\r\n• Do not connect to untrusted or untested VNC servers.\r\nFurther information and more details on the VNC vulnerabilities discovered by Cheremushkin are available in the full VNC\r\nvulnerability research report available on the Kaspersky Lab ICS CERT website\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/\r\nhttps://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/"
	],
	"report_names": [
		"dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434429,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/41984c4b7f701738bab2984cade9f4fe075a648b.pdf",
		"text": "https://archive.orkl.eu/41984c4b7f701738bab2984cade9f4fe075a648b.txt",
		"img": "https://archive.orkl.eu/41984c4b7f701738bab2984cade9f4fe075a648b.jpg"
	}
}