Are there any known security vulnerabilities?


RealVNC Ltd has a clear track record in providing secure software. Current versions are not affected by any known vulnerabilities.

Previous versions released between 2004–2013 have been affected by the following issues:

CVE-2013-6886 (No remote threat, local access required)

VNC 5.0.6 allows local users to execute arbitrary code as root, through passing a maliciously crafted argument vector to the vncserver (Mac) and vncserver-x11/Xvnc (Linux, Solaris, AIX, HP-UX) setuid-root helpers. The vulnerability affects VNC 5.0.6 only, and is fixed in VNC 5.0.7. VNC 5.1.0 and later are not affected. VNC on Windows is not affected.

CVE-2008-4770 (Moderate — only affects VNC Viewer)

The CMsgReader::readRect function in VNC Viewer provided with VNC Free Edition 4.0 through 4.1.2, VNC Enterprise Edition 4.0 through 4.4.2, and VNC Personal Edition 4.0 through 4.4.2 allows a remote VNC Server to execute arbitrary code via crafted RFB protocol data, related to encoding type.

CVE-2008-3493 (Not severe — only affects VNC Viewer)

VNC Viewer allows a remote VNC Server to cause a denial of service (application crash) via a crafted framebuffer update packet.

CVE-2006-2369 (Severe)

VNC Enterprise Edition 4.1.1, and other products that embed RealVNC such as AdderLink IP and Cisco CallManager, allows remote attackers to bypass authentication via a request in which a client specifies an insecure security type (for example, "Type 1 - None") that is accepted even if it is not offered by VNC Server, as originally demonstrated using a long password.

CVE-2004-1750 (Not severe — only affects VNC Server)

VNC Enterprise Edition 4.0 and earlier allows remote attackers to cause a denial of service (crash) via a large number of connections to port 5900. 

If you come across a security issue with VNC that is not listed above, please contact us via our Help Center

Was this article helpful?
29 out of 37 found this helpful



Article is closed for comments.