Contact/Tip Us Reach out to get featured—contact us to send your exclusive story idea, research, hacks, or ask us a question or leave a comment/feedback! Follow Us On Social Media RSS Feeds Email Alerts Dozens of Severe Flaws Found in 4 Popular Open Source VNC Software Swati KhandelwalNov 23, 2019 Four popular open-source VNC remote desktop applications have been found vulnerable to a total of 37 security vulnerabilities, many of which went unnoticed for the last 20 years and most severe could allow remote attackers to compromise a targeted system. VNC (virtual network computing) is an open source graphical desktop sharing protocol based on RFB (Remote FrameBuffer) that allows users to remotely control another computer, similar to Microsoft's RDP service. The implementation of the VNC system includes a "server component," which runs on the computer sharing its desktop, and a "client component," which runs on the computer that will access the shared desktop. In other words, VNC allows you to use your mouse and keyboard to work on a remote computer as if you are sitting in front of it. There are numerous VNC applications, both free and commercial, compatible with widely used operating systems like Linux, macOS, Windows, and Android. Considering that there are currently over 600,000 VNC servers accessible remotely over the Internet and nearly 32% of which are connected to industrial automation systems, cybersecurity researchers at Kaspersky audited four widely used open source implementation of VNC, including:
LibVNC
UltraVNC
TightVNC 1.x
TurboVNC
After analyzing these VNC software, researchers found a total of 37 new memory corruption vulnerabilities in client and server software: 22 of which were found in UltraVNC, 10 in LibVNC, 4 in TightVNC, just 1 in TurboVNC.
"All of the bugs are linked to incorrect memory usage. Exploiting them leads only to malfunctions and denial of service — a relatively favorable outcome," Kaspersky says. "In more serious cases, attackers can gain unauthorized access to information on the device or release malware into the victim's system.
Some of the discovered security vulnerabilities can also lead to remote code execution (RCE) attacks, meaning an attacker could exploit these flaws to run arbitrary code on the targeted system and gain control over it. Since the client-side app receives more data and contains data decoding components where developers often make errors while programming, most of the vulnerabilities affect the client-side version of these software. On the other hand, the server-side relatively contains a small code base with almost no complex functionality, which reduces the chances of memory-corruption vulnerabilities. However, the team discovered some exploitable server-side bugs, including a stack buffer overflow flaw in the TurboVNC server that makes it possible to achieve remote code execution on the server. But, exploiting this flaw requires authentication credentials to connect to the VNC server or control over the client before the connection is established. Therefore, as a safeguard against attacks exploiting server-side vulnerabilities, clients are recommended not to connect to untrusted or untested VNC servers, and administrators are required to protect their VNC servers with a unique, strong password. Kaspersky reported the vulnerabilities to the affected developers, all of which have issued patches for their supported products, except TightVNC 1.x that is no longer supported by its creators. So, users are recommended to switch to version 2.x. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARETweetShareShareShareShare on Facebook Share on Twitter Share on Linkedin Share on Reddit Share on Hacker News Share on Email Share on WhatsApp Share on Facebook Messenger Share on Telegram SHARE cyber security, hacking news, remote code execution, server security, virtual network computing, VNC protocol, vnc viewer, Vulnerability Trending News ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Popular Resources Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Identity Controls Checklist: Find Missing Protections in Apps
Cybersecurity Webinars
Hidden Attack Paths You’re Missing
Learn to Find Hidden Vulnerabilities in Autonomous AI Agents
A practical deep dive into securing AI agents against real-world attack paths beyond the model itself.
Register Pressure-Test Your Defenses
Automate Security Posture Validation with CTI-Driven Testing
See exactly where your controls stand against today’s threats—automated, accurate, approachable.
Register Latest News Cybersecurity Resources Zero Trust + AI: Thrive in the AI Era and Remain ResilientZero Trust Everywhere - protection across your workforce, branches, and clouds, and GenAI.. Stop AI-Powered Threats and Protect Sensitive Data with Zscaler Zero Trust + AICompanies must replace legacy firewalls, VPNs, and exposed IPs with a Zero Trust + AI security model to protect AI usage and stop AI-driven attacks. Earn a Master's in Cybersecurity Risk ManagementLead the future of cybersecurity risk management with an online Master’s from Georgetown. Expert Insights Articles Videos
Why CVSS Scores Don't Tell the Real Story of Risk
March 9, 2026Read ➝
AI SOC Investigation Has Moved Beyond Triage: Two Cases That Show Where It Actually Matters
March 2, 2026Read ➝
AI in Cybersecurity: Is It Worth the Effort for Lean Security Teams?
March 2, 2026Read ➝
Demystifying Key Exchange: From Classical Elliptic Curve Cryptography to a Post-Quantum Future
March 2, 2026Read ➝ Get Latest News in Your Inbox
Get the latest news, expert insights, exclusive resources, and strategies from industry leaders – all for free.
Dozens of Severe Flaws Found in 4 Popular Open Source VNC Software 
Four popular open-source VNC remote desktop applications have been found vulnerable to a total of 37 security vulnerabilities, many of which went unnoticed for the last 20 years and most severe could allow remote attackers to compromise a targeted system. VNC (virtual network computing) is an open source graphical desktop sharing protocol based on RFB (Remote FrameBuffer) that allows users to remotely control another computer, similar to Microsoft's RDP service. The implementation of the VNC system includes a "server component," which runs on the computer sharing its desktop, and a "client component," which runs on the computer that will access the shared desktop. In other words, VNC allows you to use your mouse and keyboard to work on a remote computer as if you are sitting in front of it. There are numerous VNC applications, both free and commercial, compatible with widely used operating systems like Linux, macOS, Windows, and Android. Considering that there are currently over 600,000 VNC servers accessible remotely over the Internet and nearly 32% of which are connected to industrial automation systems, cybersecurity researchers at Kaspersky audited four widely used open source implementation of VNC, including: 
Share on Facebook Messenger Share on Telegram SHARE cyber security, hacking news, remote code execution, server security, virtual network computing, VNC protocol, vnc viewer, Vulnerability Trending News 
Zero Trust + AI: Thrive in the AI Era and Remain ResilientZero Trust Everywhere - protection across your workforce, branches, and clouds, and GenAI.. 
Zero Trust + AI: Thrive in the AI Era and Remain ResilientZero Trust Everywhere - protection across your workforce, branches, and clouds, and GenAI.. 
Stop AI-Powered Threats and Protect Sensitive Data with Zscaler Zero Trust + AICompanies must replace legacy firewalls, VPNs, and exposed IPs with a Zero Trust + AI security model to protect AI usage and stop AI-driven attacks. 
Earn a Master's in Cybersecurity Risk ManagementLead the future of cybersecurity risk management with an online Master’s from Georgetown. Expert Insights Articles Videos 
