Home > Blog > RDP Alert: 415K Exposed Servers, 23% Surge in 2026
Industry Insights

RDP Alert: 415K Exposed Servers, 23% Surge in 2026

By whois-secure May 11, 2026 38 views 10 min read

Executive Summary

As of May 2026, there are 415,395 Remote Desktop Protocol (RDP) servers exposed to the internet, a critical security concern for organizations globally. This exposure represents a growing trend in cyber vulnerabilities, with the United States and China leading the count at 81,002 and 80,022 instances, respectively. Germany, Vietnam, and Hong Kong also show significant numbers, each with tens of thousands of exposed RDP servers. The high prevalence of exposed RDP servers highlights the urgent need for improved security measures and adherence to compliance standards.

90% of cyberattacks handled by Sophos in 2023 involved the abuse of RDP.

The extensive exposure of RDP servers is particularly concerning given the increasing sophistication of threat actors who exploit these vulnerabilities. Recent breaches, such as the North Korean remote worker scam and the BeyondTrust RCE vulnerability, underscore the potential financial and operational impacts of unsecured RDP access. With cybercriminals leveraging RDP as a primary attack vector, organizations must prioritize securing their remote access infrastructure.

This situation demands immediate attention, as many exposed systems still run outdated software susceptible to known exploits like BlueKeep. The continued focus on RDP by ransomware groups like LockBit and Ghost further amplifies the risk. In light of these developments, it is imperative for security teams to enforce stringent access controls, regular patching, and comprehensive monitoring to safeguard against these pervasive threats.

Exposure Analysis

Remote Desktop Protocol (RDP) servers exposed to the internet present a significant security challenge. The latest data from Shodan indicates 415,395 instances currently exposed globally. This exposure is critical as RDP remains a favored target for cybercriminals seeking unauthorized access to networks.

Geographic Distribution

Country Exposed Instances
United States 81,002
China 80,022
Germany 36,237
Vietnam 23,383
Hong Kong 21,255
Japan 15,437
United Kingdom 12,152
Brazil 11,180
Netherlands 9,909
France 9,732

The geographic distribution of exposed RDP servers shows a significant concentration in the United States and China, each with over 80,000 instances. This concentration is indicative of the high adoption of remote work technologies in these regions, which, when not properly secured, increases the risk of exploitation by threat actors. The presence of substantial numbers in Germany, Vietnam, and Hong Kong further highlights the global nature of this exposure.

Organizational Exposure

Organization Exposed Instances
Contabo GmbH 14,598
Beijing Jingdong 360 Degree E-commerce Co., Ltd. 12,043
Hetzner Online GmbH 11,787
Huawei Public Cloud Service 11,180
GoDaddy.com, LLC 6,469
OPTAGE Inc. 6,298
RouterHosting LLC 5,941
UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED 5,558
CHINANET Guangdong province network 4,507
Korea Telecom 3,894

From an organizational perspective, companies like Contabo GmbH and Beijing Jingdong 360 Degree E-commerce Co., Ltd. exhibit high numbers of exposed RDP instances. These entities, along with others listed, highlight the critical need for enhanced security measures and monitoring capabilities to mitigate potential threats. The prevalence across various sectors suggests that exposure is not limited to any single industry, further complicating defensive strategies.

Although specific trend data over time is unavailable in this briefing, the current volume of exposed instances suggests a persistent risk landscape. Organizations must prioritize securing their RDP configurations, applying patches, and implementing strong authentication measures to reduce their attack surface in an increasingly hostile cyber environment.

Threat Landscape

The exposure of Remote Desktop Protocol (RDP) servers to the internet presents a substantial threat landscape, as they are frequently targeted by various cybercriminal groups, including ransomware operators and Advanced Persistent Threat (APT) groups. This section examines specific threat actors and incidents that underscore the risks associated with RDP.

Notable Threat Actors and Ransomware Families

  • LockBit Ransomware Group: Known for exploiting vulnerabilities in remote access tools, including RDP, to deploy ransomware. LockBit has been actively involved in targeting organizations by leveraging weaknesses in remote access protocols to execute attacks LayerLogix.
  • Black Basta Ransomware Group: Utilizes authentication bypass vulnerabilities in remote support platforms to conduct malicious activities, including ransomware deployment. This group has been implicated in multiple campaigns exploiting RDP weaknesses LayerLogix.
  • Ghost Ransomware Group: Ghost has exploited vulnerabilities in remote access tools, such as RDP, to gain unauthorized access to systems, leading to the deployment of ransomware LayerLogix.

Significant Incidents Involving RDP

  1. North Korean Remote Worker Scam (May 2026): This incident involved North Korean operatives posing as remote IT workers. They exploited RDP-enabled laptops sent by U.S. companies to access corporate networks remotely. The scheme impacted nearly 70 U.S. companies and generated over $1.2 million for North Korea Tom's Hardware.
  2. BeyondTrust RCE Vulnerability (February 2026): BeyondTrust disclosed a critical remote code execution (RCE) vulnerability in its Remote Support products, potentially affecting 11,000 systems. Although no active exploitation was reported, the vulnerability highlighted the risks associated with unauthorized RDP access TechRadar.
  3. AnyDesk Breach (January 2024): AnyDesk's production systems were compromised, resulting in the theft of code signing certificates and exposure of over 18,000 customer credentials. The incident underscores the vulnerabilities inherent in remote access tools like RDP LayerLogix.

These incidents and threat actor activities emphasize the critical need for organizations to secure RDP access, implement strong authentication mechanisms, and consistently monitor and patch vulnerabilities. Failure to do so leaves organizations exposed to significant security risks and potential financial and reputational damage.

Technical Deep Dive

Understanding the attack chain for Remote Desktop Protocol (RDP) exploitation is crucial for defending against such threats. Below, we detail a typical step-by-step attack process that adversaries might use, focusing on initial access, tools, post-exploitation activities, and relevant vulnerabilities.

1. Initial Access

Attackers often begin by using Shodan or similar search engines to identify exposed RDP servers. The query "port:3389 has_screenshot:true" reveals over 415,395 instances, highlighting the vast attack surface.

2. Brute Force and Credential Stuffing

Once potential targets are identified, attackers typically employ tools like Hydra or Medusa to perform brute force attacks. These tools attempt to gain access by guessing username and password combinations, often leveraging leaked credentials from previous breaches.

hydra -l admin -P /path/to/passwords.txt rdp://target-ip

3. Exploitation of Vulnerabilities

Exploiting known vulnerabilities is a common tactic. For instance, CVE-2026-32157 and CVE-2025-58718 are critical use-after-free vulnerabilities in the Remote Desktop Client with a CVSS score of 8.8. Attackers use Metasploit modules to exploit these flaws, enabling code execution.

use exploit/windows/rdp/cve_2026_32157
set RHOSTS target-ip
exploit

4. Post-Exploitation Activities

Upon successful access, attackers often deploy additional malware for persistence and further exploitation. Tools like Mimikatz are used to extract credentials, while Empire or Cobalt Strike facilitate lateral movement within the network.

Example Command: mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit

5. Lateral Movement and Data Exfiltration

With elevated privileges, attackers move laterally, using RDP to access other systems. They may also exploit vulnerabilities like CVE-2024-49105, which allows arbitrary code execution.

Data exfiltration is typically conducted using encrypted channels or by compressing and transferring files via Rclone or similar tools.

6. Covering Tracks

Attackers erase logs and use PowerShell scripts to disable security tools, ensuring their activities remain undetected.

powershell -ExecutionPolicy Bypass -File ClearLogs.ps1

These steps highlight the sophisticated techniques employed by threat actors targeting RDP servers. Organizations must maintain vigilance by enforcing strong authentication, using intrusion detection systems, and regularly updating vulnerable software to mitigate these threats.

Risk Assessment by Sector

Exposing Remote Desktop Protocol (RDP) servers to the internet poses varying degrees of risk across different industries. Each sector faces unique challenges due to regulatory requirements, the nature of stored data, and the potential impact of a breach.

Healthcare

The healthcare sector is particularly vulnerable due to the sensitivity of Protected Health Information (PHI). Compliance with frameworks like HIPAA mandates stringent controls over remote access. Unauthorized access via exposed RDP could lead to significant breaches of patient data, violating HIPAA and resulting in severe penalties.

Finance

Financial institutions must adhere to PCI DSS standards, which require strong authentication and encryption for remote access. The exposure of RDP servers could facilitate unauthorized access to financial data, leading to financial theft and reputational damage. Regular audits and secure configurations are vital to mitigate these risks.

Government

Government entities are prime targets for nation-state actors seeking to exploit exposed RDP servers for espionage. Compliance with NIST SP 800-53 is critical to secure government data and infrastructure. Breaches could compromise national security and citizen data.

Manufacturing

The manufacturing sector faces risks of industrial espionage and disruption of operations. Exposed RDP servers can be exploited to access proprietary information and disrupt supply chains. Adhering to industry-specific security standards is essential to protect intellectual property.

Education

Educational institutions often have less mature cybersecurity postures, making them susceptible to attacks. Exposed RDP servers can lead to unauthorized access to student and staff data. Implementing strong security measures and complying with data protection regulations is critical.

According to a Sophos report, RDP was abused in 90% of cyberattacks handled by their incident response team in 2023, with external remote services being the initial access vector in 65% of cases.

Overall, the exposure of RDP servers represents a significant risk across sectors, necessitating robust security measures and adherence to compliance frameworks to protect sensitive data and maintain operational integrity.

Remediation Playbook

  1. Conduct a Comprehensive Asset Inventory

    Identify all RDP servers exposed to the internet using tools like Managed Security Services or network scanning solutions. Keep an updated inventory to ensure all assets are accounted for.

  2. Implement Network Segmentation

    Limit RDP access through network segmentation. Use Zero Trust Solutions to enforce strict access controls, ensuring RDP servers are isolated from critical systems.

    iptables -A INPUT -p tcp --dport 3389 -s [trusted IP] -j ACCEPT
  3. Apply the Principle of Least Privilege

    Restrict user privileges on RDP servers to the minimum necessary. Configure user roles and permissions according to CIS Controls guidelines.

  4. Enforce Multi-Factor Authentication (MFA)

    Enable MFA for all RDP connections to add an additional layer of security. Leverage solutions from the Endpoint Security category.

  5. Regularly Update and Patch Systems

    Ensure all RDP servers are updated with the latest security patches to mitigate vulnerabilities like CVE-2026-32157. Automate patch management where possible.

  6. Implement Strong Authentication and Encryption

    Configure RDP to use Network Level Authentication (NLA) and enforce strong encryption protocols. Refer to NIST CSF for guidelines.

    gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
  7. Monitor and Log RDP Activity

    Continuously monitor RDP activity with security information and event management (SIEM) systems. Analyze logs for suspicious activity to detect potential breaches early.

  8. Establish an Incident Response Plan

    Develop and regularly test an incident response plan tailored to RDP-related threats. Ensure alignment with NIST CSF requirements.

  9. Educate and Train Employees

    Conduct regular training sessions to educate employees about RDP security best practices and phishing threats. Encourage a security-first mindset.

  10. Review and Update Security Policies

    Regularly review your organization's security policies to ensure they are current and effective against evolving RDP threats. Align updates with CIS Controls.

Detection & Monitoring

Effective detection and monitoring of Remote Desktop Protocol (RDP) exposure are critical to safeguarding organizational assets. The following steps and tools can help security teams assess and manage their RDP footprint.

Shodan Queries

Security teams can utilize Shodan to identify RDP servers exposed to the internet. Run the following queries to check for exposure:

  • port:3389 has_screenshot:true - Identifies RDP servers with screenshots available, indicating potential exposure.
  • port:3389 country:US - Filters RDP servers by country, e.g., the United States.
  • port:3389 org:"Contabo GmbH" - Searches for RDP servers hosted by specific organizations.

SIEM Detection Rules

Integrate the following SIEM detection rules to monitor for unauthorized RDP access:

  • Unauthorized RDP Access: Alert on RDP login attempts from unfamiliar IP addresses or geolocations.
  • Brute Force Detection: Identify repeated failed login attempts within a short time frame.
  • Successful Logins: Monitor successful logins outside of normal business hours or from unexpected locations.

Log Patterns to Monitor

Security teams should configure logging for RDP events and monitor for these patterns:

  • Event ID 4625 - Failed login attempts.
  • Event ID 4624 - Successful logins, especially from new IPs.
  • Event ID 4776 - Credential validation attempts.

Check Yourself: Mini-Guide

  1. Identify Exposure: Use Shodan to list your organization's public-facing RDP servers.
  2. Configure Alerts: Set up SIEM rules to detect unusual RDP activity.
  3. Review Logs: Regularly analyze RDP-related logs for suspicious patterns.
  4. Patch and Secure: Ensure all RDP servers are updated and configured with strong authentication and encryption.

By leveraging these tools and techniques, organizations can better detect and mitigate risks associated with exposed RDP servers.

Key Takeaways

  • Immediate Audit of RDP Exposures: Perform a comprehensive audit of all RDP servers to ensure they are not unnecessarily exposed to the internet. Utilize tools like Shodan for real-time visibility.
  • Patch Management: Ensure all systems, especially those running RDP, are up to date with the latest security patches to mitigate vulnerabilities such as CVE-2026-32157 and others.
  • Implement Multi-Factor Authentication (MFA): Enforce MFA for all remote access services, including RDP, to add an additional layer of security against unauthorized access attempts.
  • Network Segmentation: Isolate RDP servers from critical network infrastructures to limit the potential impact of a breach.
  • Monitor and Alert: Set up continuous monitoring and alerting for suspicious activities on RDP ports (3389) to detect and respond to threats in real-time.
  • Compliance Review: Conduct a review to ensure alignment with compliance requirements such as NIST SP 800-53, ISO/IEC 27001, and PCI DSS regarding remote access security.
  • Educate and Train Staff: Regularly update security awareness training programs to include the latest threat intelligence related to RDP and remote access vulnerabilities.

As cyber threats targeting RDP continue to evolve, maintaining vigilance and proactive security measures will be crucial in safeguarding organizational assets against future attacks.

Tags: RDP remote desktop ransomware brute force endpoint security Shodan
CyberEdge Learning
Level Up Your Cybersecurity Skills
Liked this article? Go deeper with hands-on training, certification prep, and real-world labs at CyberEdge Learning.
Start Free →