cbcvebase.
CVE-2006-2369
published 2006-05-15

CVE-2006-2369: RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and Cisco CallManager, allows remote attackers to bypass authentication via a request…

PriorityP277high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
91.52%
99.8th percentile
RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and Cisco CallManager, allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as "Type 1 - None", which is accepted even if it is not offered by the server, as originally demonstrated using a long password.

Affected

11 ranges
VendorProductVersion rangeFixed in
any1neatvnc< 0.8.10.8.1
any1neatvnc>= 0 < 0.8.0+dfsg-20.8.0+dfsg-2
any1neatvnc>= 0 < 0.8.0+dfsg-20.8.0+dfsg-2
debianlibvncserver< libvncserver 0.8.2-1 (bookworm)libvncserver 0.8.2-1 (bookworm)
debianneatvnc< neatvnc 0.8.0+dfsg-2 (forky)neatvnc 0.8.0+dfsg-2 (forky)
libvncserverlibvncserver
libvncserver_projectlibvncserver>= 0 < 0.8.2-10.8.2-1
libvncserver_projectlibvncserver>= 0 < 0.8.2-10.8.2-1
libvncserver_projectlibvncserver>= 0 < 0.8.2-10.8.2-1
libvncserver_projectlibvncserver>= 0 < 0.8.2-10.8.2-1
vncrealvnc

Detection & IOCsextracted from sources · hover to see the quote

port5900
versionRFB 003.008
bytes
\x01\x01 (NULL auth type advertised to client)
bytes
\x00\x00\x00\x00 (auth result success spoofed to client)
bytes
\x01 (secTypeNone sent to server)
  • Detect VNC servers advertising only NULL (secTypeNone = 0x01) authentication — a server sending exactly the two-byte sequence 0x01 0x01 indicates only None auth is offered, which is the bypass condition.
  • Flag VNC handshakes where the RFB protocol version is exactly 'RFB 003.008' followed by a client selecting security type 0x01 (None) — this is the vulnerable negotiation path for RealVNC 4.1.0/4.1.1.
  • Monitor for a MitM proxy pattern on port 5900 where a client receives 0x01 0x01 (only None auth) but the upstream server originally offered multiple auth methods — indicative of the bypass proxy technique.
  • Use the Metasploit auxiliary scanner module for VNC None-auth detection as a proactive sweep against exposed VNC services.
  • ·The vulnerability affects only RealVNC versions 4.1.0 and 4.1.1; the exploit checks for the exact RFB 003.008 banner to confirm vulnerability before proceeding.
  • ·CVE-2024-42458 in Neat VNC (neatvnc before 0.8.1) is a related but distinct issue — it also fails to properly validate the security type, so detection logic for improper security-type negotiation applies to both.
  • ·The exploit operates as a transparent proxy (MitM) between a VNC client and server; detection must account for the attacker-controlled relay rather than a direct client-to-server connection.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.