Skip to content
PortsDB

Port reference

Port 5900 (TCP) – VNC

Virtual Network Computing — graphical remote desktop sharing protocol (RFB).

tcpRegisteredCommonly attacked

Default state

Open on hosts running a VNC server (RealVNC, TightVNC, TigerVNC, macOS Screen Sharing). Frequently exposed to the internet with weak or no authentication.

Common attacks

  • Brute force of the weak 8-character VNC password
  • Access to servers configured with no authentication at all
  • Eavesdropping on unencrypted screen and keystroke traffic
  • Auth-bypass exploits (e.g. RealVNC CVE-2006-2369)

CVE-2006-2369

Hardening

  • Never expose 5900 to the internet — tunnel over SSH or a VPN
  • Always require a password; prefer servers supporting full credential auth
  • Use a VNC build with strong/TLS encryption, or wrap VNC in an encrypted tunnel
  • Restrict source IPs and add rate limiting/lockout
  • Patch the VNC server; older builds have auth-bypass and RCE bugs

nmap snippet

nmap -p5900 --script vnc-info,vnc-title,realvnc-auth-bypass <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 5900?

Port 5900 is the default for VNC (Virtual Network Computing), a graphical remote-desktop protocol based on RFB (Remote Framebuffer). It streams the target's screen to a viewer and relays keyboard and mouse input back, giving full interactive control. Each VNC display increments the port — :0 is 5900, :1 is 5901 — and servers include RealVNC, TightVNC, TigerVNC, and macOS Screen Sharing.

Why it matters for security

Classic VNC authentication is weak: the legacy challenge-response scheme caps passwords at 8 characters, making them easy to brute-force, and many servers are deployed with no password at all. The base protocol is unencrypted, so anyone on the path can watch the screen and capture keystrokes — including typed passwords. An exposed 5900 therefore offers attackers a direct, often trivially-accessed window onto the desktop.

How it's attacked

Internet scanners catalog open 5900 ports and the nmap vnc-info / vnc-title scripts reveal the auth type and even a screenshot-like title. Attackers brute-force the short VNC password or simply connect to no-auth servers. Unencrypted sessions are sniffed, and older RealVNC builds are hit with the CVE-2006-2369 authentication-bypass via the realvnc-auth-bypass script.

Hardening checklist

Never expose 5900 directly — tunnel VNC over SSH or a VPN so the session is encrypted and gated by strong auth. Always set a password and prefer servers that support full credential authentication and TLS encryption. Restrict source IPs, add rate limiting/lockout, and keep the VNC server patched against auth-bypass and RCE flaws. Use the nmap snippet above to check authentication and encryption on systems you are authorized to assess.

Related ports

Port 5901Port 3389Port 5800Port 22

Frequently asked questions

Is VNC on port 5900 secure?
Not by default. Classic VNC limits passwords to 8 characters and sends the screen unencrypted, and some servers allow no authentication. Tunnel it over SSH/VPN and require strong auth.
What is the difference between 5900 and 5901?
5900 is the first VNC display (:0). Additional displays increment the port, so :1 is 5901, :2 is 5902, and so on. Each display is a separate VNC session.