EN
Русский
TCP
Dangerous
Remote Access
Port 5902 (VNC-2)
Learn about port 5902 (VNC-2) - security risks, vulnerabilities, and common uses. Find devices with port 5902 open.
Quick Info
Port Number
5902
Protocol
TCP
Service
VNC-2
IANA Name
VNC-2
Service Description
TCP port 5902 is commonly associated with the Virtual Network Computing (VNC) protocol, specifically used for display number '2'. VNC is a graphical desktop sharing system that allows users to remotely control the desktop interface of a computer. The core VNC protocol, based on the Remote Frame Buffer (RFB) protocol, operates by transmitting pixel data and keyboard/mouse events between a VNC server (running on the machine being controlled) and a VNC client (running on the machine controlling the remote system). Each VNC server instance usually listens on a separate port, with 5900 being the default and subsequent displays incrementing the port number (5901 for display 1, 5902 for display 2, and so on). The RFB protocol is relatively simple, transmitting raw pixel data which can be computationally expensive, especially over slow network connections. Modern implementations often incorporate compression and encoding schemes to optimize performance. The initial handshake involves authentication, typically using a password, but other authentication methods like SSH tunneling are also employed for enhanced security. Technically, the server listens for incoming connections on the specified port (5902 in this case) and, upon a successful connection and authentication, begins transmitting framebuffer updates to the client and processing input events received from the client.
## Firewall Recommendations
Blocking port 5902 is recommended if VNC is not actively used on the system. If VNC is required, it should never be directly exposed to the public internet. Instead, it is strongly advised to use SSH tunneling or a VPN to establish a secure connection to the VNC server. Ensure that VNC servers are configured with strong, unique passwords and that the latest security patches are applied. Consider implementing multi-factor authentication where supported. Limit access to the VNC server to specific IP addresses or networks. Regularly audit VNC server configurations and logs to detect suspicious activity. Employing network intrusion detection systems (NIDS) can help identify and block malicious attempts to exploit VNC vulnerabilities.
## Firewall Recommendations
Blocking port 5902 is recommended if VNC is not actively used on the system. If VNC is required, it should never be directly exposed to the public internet. Instead, it is strongly advised to use SSH tunneling or a VPN to establish a secure connection to the VNC server. Ensure that VNC servers are configured with strong, unique passwords and that the latest security patches are applied. Consider implementing multi-factor authentication where supported. Limit access to the VNC server to specific IP addresses or networks. Regularly audit VNC server configurations and logs to detect suspicious activity. Employing network intrusion detection systems (NIDS) can help identify and block malicious attempts to exploit VNC vulnerabilities.
Security Information
VNC is inherently a high-risk service if not properly secured. The protocol itself has known weaknesses, including the potential for man-in-the-middle attacks if the connection is not encrypted. Unencrypted VNC connections transmit passwords and screen data in the clear, making them vulnerable to eavesdropping. Default configurations often use weak passwords or no password at all, which allows unauthorized access to the remote system. Attackers frequently target VNC servers through brute-force password attacks or by exploiting known vulnerabilities in specific VNC implementations. Furthermore, a compromised VNC server grants an attacker full control over the remote machine's graphical interface, allowing them to execute commands, access sensitive data, and install malware. VNC servers listening on public networks are particularly vulnerable to these attacks.
Known Vulnerabilities
| CVE | Name | Severity | Description |
|---|---|---|---|
| CVE-2015-0936 | TightVNC Authentication Bypass Vulnerability | High | TightVNC allows remote attackers to bypass authentication by sending a crafted SetPixelFormat message. |
| CVE-2018-20335 | LibVNC heap-based buffer overflow | High | Heap-based buffer overflow in VNC server in LibVNC allows attackers to cause a denial of service or possibly execute arbitrary code via a crafted FramebufferUpdate message. |
| CVE-2016-9941 | UltraVNC authentication bypass | Critical | UltraVNC allows remote attackers to bypass authentication by sending a crafted VNC packet. |
| CVE-2021-28129 | TigerVNC Integer Overflow | High | Integer overflow vulnerability in the ServerCutText function in TigerVNC allows remote attackers to execute arbitrary code via a crafted cut-text message. |
| CVE-2023-31479 | RealVNC VNC Server Heap-based Buffer Overflow Vulnerability | High | A heap-based buffer overflow vulnerability exists in the VNC Server component of RealVNC VNC Server 7.7.0. Specially crafted TCP packets can cause a write out of bounds, resulting in denial of service. |
Common Software
- TightVNC
- RealVNC
- UltraVNC
- TigerVNC
- x11vnc
- Remmina
- Vinagre
- VNC Viewer
- Apple Remote Desktop
- Chrome Remote Desktop
Find devices with this port
Discover all devices with port 5902 open in any country.
Search Port 5902Find all devices with port 5902 open
ScaniteX scans millions of IPs to find devices with specific ports open. Perfect for security research and network auditing.
Start Mass Scanning