VNC exposed on the Internet:
the hidden risk of manufacturing SMEs

What Italy’s CSIRT reported

On 16 April 2026 the CSIRT Italia (Computer Security Incident Response Team set up at ACN, Italy’s National Cybersecurity Agency) published bulletin BL01/260416 with severity High (70/100). The bulletin reports an increase in hostile activity — often attributed to hacktivist groups such as NoName057 — against SCADA equipment, IoT devices, industrial systems and home consoles exposed on the Internet via inadequately protected VNC services.

The problem is not theoretical. Services like Shodan and Censys constantly map VNC services exposed on port 5900/TCP (and on all derived ports 5800-5899): an attacker only needs a few seconds to identify the Italian exposed surface and try weak credentials, «guest» configurations or known vulnerabilities of the underlying RFB protocol.

Why Internet-facing VNC is structurally weak

VNC (Virtual Network Computing) was born as a remote access tool to a shared screen. The underlying protocol, RFB (Remote Frame Buffer), was designed in an era with a different threat model. The structural problems that make it unsuitable for direct Internet exposure are well-known and not solvable without changing architecture:

• Weak or absent default encryption — many VNC implementations, in default configuration, do not encrypt traffic robustly: passive interception (Man-in-the-Middle) allows an attacker to read credentials and session content.
• Passwords capped at 8 characters — some popular VNC variants accept only passwords up to 8 characters, vulnerable to brute force in acceptable timeframes for a modern attacker with cloud resources.
• Misconfigured «guest» or «view only» modes — it is not unusual to find industrial VNC instances with no-credentials access, often because the supplier left a temporary configuration in place during installation that was never revisited.
• Non-granular privileges — whoever logs in, by default, sees everything and can do everything: there is no concept of role, authorisation on specific resources or centralised audit trail of actions performed.

Why Italian manufacturing SMEs are in the crosshairs

Italian manufacturing SMEs — very common in Emilia-Romagna and around Piacenza — are particularly exposed for concrete reasons. They run PLCs, machine consoles, SCADA systems and IP cameras installed years ago, when industrial cybersecurity was not a central topic. To allow remote support from suppliers and maintainers — often outside the corporate perimeter — these devices are exposed directly to the Internet via VNC, in many cases with no VPN, no MFA and no access monitoring system.

The result is a combination that opportunistic attackers — and hacktivist groups oriented to hitting Italian industry — find very attractive: a direct attack surface mapped publicly, potentially serious consequences (production downtime, process tampering, exfiltration of industrial parameters) and low internal visibility at the moment when someone is trying to get in.

Three concrete alternatives to exposed VNC

Replacing «raw» VNC on the Internet does not mean giving up remote access: it means putting it inside a controlled perimeter. Three architectures work well for Italian SMEs:

• 1Corporate VPN with MFA — remote access concentrates into a single controlled point (VPN gateway), protected by MFA. VNC stays internal, never directly exposed. Simple solution, suitable also for small SMEs.
• 2Zero Trust Network Access (ZTNA) — instead of a VPN that grants generic network access, ZTNA grants access to individual resources, authenticating each user for each specific resource, with continuous identity and context verification. Particularly suitable for managing different access patterns between suppliers, maintainers and employees. Cybersecurity services.
• 3Jump host (bastion) with MFA and audit trail — a single hardened server reachable from the Internet, from which you reach internal industrial systems. All sessions are recorded for audit and later review. Proven solution for environments with compliance requirements.

All three, in addition, must be accompanied by network segregation that separates traditional IT (offices, ERP, servers) from OT (production line, PLCs, SCADA, cameras). It is the only way to prevent an office-side compromise from propagating towards the shop floor, or vice versa.

Where to start with AtWorkStudio

The first step is knowing what you have actually exposed. AtWorkStudio offers SMEs an external perimeter vulnerability assessment that, in a few hours, identifies all services reachable from the Internet — VNC, RDP, industrial consoles, admin panels, backup consoles — and evaluates their security posture. Based on that map, we build together a roadmap to remove direct accesses, replace with VPN/ZTNA/jump hosts and enforce IT/OT segregation.

We have been operating from Piacenza (Italy) since 2000 and we know the dynamics of local manufacturing SMEs. Remote-access modernisation projects can fall within the eligible expenses of the MIMIT cloud and cybersecurity voucher for Italian SMEs. We are certified ISO/IEC 27001, 27017, 27018 and ISO 9001, ACN-qualified for SaaS cloud services, members of Clusit (Italian Association for Information Security) and associated with Confindustria Piacenza in the RICT cluster.