Skip to content
PortsDB

Port reference

Port 5800 (TCP) – VNC over HTTP

HTTP service that delivers a browser-based VNC client, paired with the VNC server on port 5900.

tcpRegisteredCommonly attacked

Default state

Open on VNC servers with the built-in web/Java viewer enabled (e.g. RealVNC, TightVNC). Often exposed alongside 5900 with weak or no authentication.

Common attacks

  • Connecting to no-auth or weakly authenticated desktops via the browser
  • Brute force of the short VNC password reached through the web client
  • Fingerprinting exposed VNC web pages with http-title scanning
  • Eavesdropping on the unencrypted session served behind the page

Hardening

  • Disable the HTTP/web viewer if you do not need browser access
  • Never expose 5800 or 5900 to the internet — tunnel over SSH or VPN
  • Require a strong VNC password and prefer TLS-capable servers
  • Restrict source IPs and add rate limiting/lockout
  • Keep the VNC server patched against auth-bypass and RCE bugs

nmap snippet

nmap -p5800 --script http-title,vnc-info <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 5800?

Port 5800 is the default HTTP port used by some VNC servers (RealVNC, TightVNC) to serve a browser-based VNC client — historically a Java applet, later JavaScript. A user points a browser at http://host:5800/, loads the viewer, and it connects back to the actual VNC server on 5900. It exists to let people use VNC without installing a native client.

Why it matters for security

The web client is just a front end for VNC, so it inherits every VNC weakness: the legacy 8-character password cap, servers deployed with no authentication, and an unencrypted RFB session. Exposing 5800 makes that desktop reachable from any browser on the internet, lowering the bar for an attacker who would otherwise need a VNC client. The page itself also advertises that VNC is present.

How it's attacked

Scanners catalog open 5800 ports and nmap's http-title script flags the VNC viewer page, signposting a likely open 5900 beside it. Attackers load the web client and connect to no-auth desktops or brute-force the short password. The underlying session is unencrypted, so it can also be sniffed in transit.

Hardening checklist

If you do not need browser access, disable the HTTP/web viewer entirely. Never expose 5800 or 5900 to the internet — tunnel over SSH or a VPN. Require a strong VNC password, prefer servers with TLS, restrict source IPs, and add rate limiting/lockout. Keep the VNC server patched against auth-bypass and RCE flaws, and use the nmap snippet above to confirm exposure on hosts you are authorized to assess.

Related ports

Port 5900Port 5901Port 3389Port 80

Frequently asked questions

How is 5800 different from 5900?
5900 is the raw VNC (RFB) protocol port. 5800 is an HTTP port that serves a Java/JavaScript VNC client to a browser, which then connects back to the VNC server on 5900.
Is the VNC web client on 5800 secure?
No more than VNC itself. It fronts the same weak password scheme and unencrypted session, so an exposed 5800 lets anyone reach the desktop from a browser. Tunnel it and require strong auth.