8,000 Exposed VNC Instances: Critical Infrastructure Remote Access Risks and Defenses for 2026
Researchers discovered over 8,000 unprotected virtual network computing instances exposing critical infrastructure networks, from water treatment plants to research facilities, to potential cyber-attacks. Here’s how organizations can strengthen VNC security and how SASE offers an innovative way to protect critical systems.
Ozan Ucar, Founder and CEO of Keepnet
Last Updated: 2026-06-01
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
8,000 Unprotected Virtual Network Instances Expose Critical Infrastructure: What You Need to Know
In 2022, security researchers identified over 8,000 instances of unprotected Virtual Network Computing (VNC) servers accessible from the public internet with authentication disabled. The discovery highlighted a systemic failure in remote access security across critical national infrastructure. By 2026, the exposure of unprotected remote access services remains one of the most persistent and exploited vulnerabilities in industrial and operational technology environments. Threat intelligence reports consistently show that internet-exposed VNC, RDP, and industrial control system interfaces represent a primary initial access vector for attacks on critical infrastructure, with nation-state actors and ransomware operators actively scanning for these exposures.
VNC is a widely used remote desktop protocol that enables engineers and operators to control industrial and operational systems remotely. Its cross platform support and ease of deployment make it attractive for operational technology environments. However, when VNC instances are exposed to the internet without authentication or encryption, they become trivial entry points for attackers. In 2026, automated scanning tools enable threat actors to discover and attempt to access internet-exposed VNC services within minutes of their exposure, making the window between accidental exposure and exploitation extremely short.
Why Unprotected VNCs Are a Major Threat to CNI
For organizations that manage essential services, any compromise can result in catastrophic impacts. CNI sectors, including energy, water, and healthcare, depend heavily on VNCs for remote monitoring, troubleshooting, and management of industrial systems. When VNC access lacks authentication, it exposes endpoints and ICS to unauthorized remote control, data manipulation, and potential sabotage.
VNCs’ vulnerability arises from factors such as:
- Lack of Authentication Controls: When authentication is disabled, any actor on the internet could potentially access and control these systems.
- Outdated Software and Lack of Maintenance: Older VNC systems may lack essential updates or patches, further increasing vulnerability.
- Misconfigured Network Access: Open network access increases the risk of unauthorized entry, especially if VNC connections are not secured behind a firewall or VPN.
The Role of SASE in Protecting Critical Infrastructure
Security Access Service Edge, or SASE, offers a cloud based solution to secure network architectures, particularly in environments where legacy systems can’t be taken offline for updates. By deploying virtual patches, SASE allows organizations to manage their critical infrastructure without physically updating each component. This feature is especially crucial for CNI organizations, where interruptions to ICS could lead to service disruptions or safety hazards.
SASE’s Key Advantages for VNC and CNI security include:
- Unified Security Policies: SASE enables centralized management, ensuring consistent security protocols across different remote access points.
- Reduced Vulnerability to Legacy System Risks: By using virtual patches, SASE can secure outdated VNC instances without needing full updates, which can be logistically challenging in legacy environments.
- Integrated Threat Intelligence: SASE uses real time threat data to proactively protect network endpoints, reducing the likelihood of successful exploitation attempts.
For CNI organizations, transitioning to a SASE model can mitigate risks associated with VNC by bolstering endpoint security through a cloud based, comprehensive, and adaptive framework.
VNC Security Best Practices for CNI Organizations
To protect against potential threats, organizations managing critical infrastructure should consider the following VNC security practices:
1. Enable Strong Authentication
Disabling VNC’s built in authentication creates vulnerabilities that can be exploited easily. Instead, organizations should enable multi factor authentication (MFA) to strengthen access control.
2. Regularly Update and Patch Systems
Outdated software is a significant security weakness. IT teams should establish a routine patching schedule or leverage virtual patching solutions through SASE to protect VNC instances.
3. Segment Networks
Network segmentation limits the scope of any unauthorized access. By separating VNC controlled systems from sensitive ICS and data networks, organizations reduce the risk of widespread compromise.
4. Use Secure Network Configurations
A firewall should be configured to restrict access to VNC, allowing connections only from trusted IP addresses or through a VPN. This restricts VNC access to authorized personnel and adds a critical layer of security.
5. Monitor Network Traffic and Access Logs
Continuous monitoring of network activity and VNC access logs can help organizations quickly identify and respond to any suspicious behavior.
How SASE providers’ SASE Solution Enhances VNC Security
SASE providers has emerged as a leader in securing cloud based access services, particularly for organizations requiring seamless and safe remote connections. A SASE platform combines advanced threat detection, virtual patching, and unified management to provide a robust security framework for VNC and other remote access tools.
SASE platforms allow critical infrastructure organizations to apply virtual patching, blocking exploitation of known vulnerabilities in legacy OT systems without requiring downtime for firmware updates. This is particularly valuable for industrial environments where availability requirements prevent traditional patching cycles.
By adopting SASE’s cloud based approach, organizations benefit from the following:
- Reduced Downtime: Virtual patching prevents the need to take systems offline, reducing operational disruptions.
- Improved Compliance: CNI organizations are subject to strict compliance requirements. SASE’s robust security protocols can help meet industry standards, including those mandating stringent access control for ICS.
- Enhanced Threat Visibility: Cato’s SASE platform offers real time monitoring and threat intelligence, enabling rapid response to any detected anomalies.
Moving Forward: Protecting CNI with Comprehensive VNC Security
As critical infrastructure continues to expand its use of remote access tools, the risk of unprotected VNC instances persists. In 2026, regulatory frameworks including the EU NIS2 Directive and the US Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) impose new obligations on critical infrastructure operators to manage and report security incidents. Organizations that have not audited their internet-exposed services, implemented authentication controls on all remote access tools, and deployed continuous external attack surface monitoring are exposed to both operational risk and regulatory penalty. The 2022 discovery of 8,000 unprotected VNCs was a warning; in 2026, the same exposures continue to appear in new infrastructure every day.
Editor's Note: This article was updated on June 1, 2026.
SHARE ON