CVE-2006-2369

RealVNC 4.1.1 - Unauthenticated Authentication Bypass via Insecure Security Type

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 7 public exploits for CVE-2006-2369. PoCs published by fdiskyou, Metasploit, redsand, including Metasploit module auxiliary/admin/vnc/realvnc_41_bypass.

AI-analyzed exploit summary This exploit bypasses authentication in RealVNC 4.1.0 and 4.1.1 by proxying connections between a vulnerable VNC server and a local VNC viewer, effectively granting unauthorized access. It requires the attacker to have vncviewer installed and listens on a local port to facilitate the connection.

Description

RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and Cisco CallManager, allows remote attackers to bypass authentication via a request in which the client specifies an insecure security type such as "Type 1 - None", which is accepted even if it is not offered by the server, as originally demonstrated using a long password.

Exploits (7)

exploitdb WORKING POC VERIFIED
by fdiskyou · pythonremotewindows
https://www.exploit-db.com/exploits/36932

This exploit bypasses authentication in RealVNC 4.1.0 and 4.1.1 by proxying connections between a vulnerable VNC server and a local VNC viewer, effectively granting unauthorized access. It requires the attacker to have vncviewer installed and listens on a local port to facilitate the connection.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: RealVNC 4.1.0 and 4.1.1
No auth needed
Prerequisites: vncviewer installed locally · network access to target VNC server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/17719

This exploit bypasses authentication in RealVNC Server 4.1.0 and 4.1.1 by performing a man-in-the-middle attack on the VNC authentication process, allowing unauthorized access. It sets up a proxy listener to facilitate the attack.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: RealVNC Server 4.1.0 and 4.1.1
No auth needed
Prerequisites: vncviewer installed on the attacking machine (if AUTOVNC is enabled)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by redsand · remotemultiple
https://www.exploit-db.com/exploits/1791

This patch modifies the VNC client's authentication process to bypass security by forcing the security type to 'None'. It exploits CVE-2006-2369, a vulnerability in VNC's authentication mechanism.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: VNC (vnc-4_1_1-unixsrc)
No auth needed
Prerequisites: Access to the VNC client source code · Ability to compile and run the modified client
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by H D Moore · remotemultiple
https://www.exploit-db.com/exploits/1794

This exploit bypasses authentication in RealVNC 4.1 by acting as a proxy between a VNC client and server, forcing NULL authentication. It manipulates the VNC protocol handshake to grant unauthorized access.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: RealVNC 4.1.0 and 4.1.1
No auth needed
Prerequisites: Network access to the target VNC server · VNC client to connect to the proxy
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by hacker1337itme · poc
https://github.com/hacker1337itme/CVE-2006-2369

This repository contains a functional Python exploit for CVE-2006-2369, an authentication bypass vulnerability in RealVNC. The exploit implements both proxy and screenshot modes, leveraging the RFB protocol to bypass authentication by forcing security type 1 (None).

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: RealVNC 4.1.0 - 4.1.1
No auth needed
Prerequisites: network access to target VNC server
devstral-2 · analyzed Mar 08, 2026 Full analysis →
metasploit WORKING POC
by hdm, theLightCosine · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/vnc/realvnc_41_bypass.rb

This Metasploit module exploits an authentication bypass vulnerability in RealVNC Server versions 4.1.0 and 4.1.1 by acting as a man-in-the-middle proxy, allowing unauthorized access to the VNC server. It intercepts and manipulates the authentication process to bypass security checks.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: RealVNC Server 4.1.0, 4.1.1
No auth needed
Prerequisites: Network access to the target VNC server · VNC server running on port 5900 · Optional: vncviewer installed for automatic connection
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit SCANNER
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vnc/vnc_none_auth.rb

This Metasploit auxiliary module scans for VNC servers that support the 'None' authentication method, which can allow unauthorized access. It performs a handshake and checks the supported security types, reporting if 'None' is included.

Classification
Scanner 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: VNC servers (various versions)
No auth needed
Prerequisites: Network access to the target VNC server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (27)

Core 27
Core References
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/8355
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/2492
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20107
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/438175/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/434117/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/434015/100/0/threaded
Mailing List mailing-list x_refsource_fulldisc
http://marc.info/?l=full-disclosure&m=114768344111131&w=2
Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/117929
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/438368/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/434560/100/0/threaded
Exploit, Patch vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1016083
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/1821
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/26445
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/433994/100/0/threaded
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/17978
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/25479
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20109
Vendor Advisory vendor-advisory x_refsource_cisco
http://www.cisco.com/warp/public/707/cisco-sr-20060622-cmm.shtml
Mailing List mailing-list x_refsource_mlist
http://marc.info/?l=vnc-list&m=114755444130188&w=2
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/1790
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/434518/100/0/threaded
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20789
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2022/May/29

Scores

EPSS 0.9234
EPSS Percentile 99.7%

Details

CWE
CWE-287
Status published
Products (1)
vnc/realvnc 4.1.1
Published May 15, 2006
Tracked Since Feb 18, 2026