RDP Exposure Across the EU: A Snapshot from Shodan Data
February 28, 2026
Remote Desktop Protocol (RDP) is one of the most commonly exposed remote access services on the internet. Unlike FTP or Telnet, RDP has legitimate modern use cases. It is designed for remote administration of Windows systems.
The problem is not that RDP exists. The problem is how often it is exposed directly to the internet without sufficient protection.
We pulled Shodan data for all 27 European Union member states to see how much RDP exposure exists on port 3389.
This is not a vulnerability scan. It is a visibility snapshot of what is responding publicly.
Methodology
EU-27 country filter used:
AT, BE, BG, HR, CY, CZ, DK, EE, FI, FR, DE, GR, HU, IE, IT, LV, LT, LU, MT, NL, PL, PT, RO, SK, SI, ES, SE
Query used:
- RDP exposure on port 3389 responding.
Note: Not every service running on port 3389 is necessarily Microsoft RDP. Some systems may run other services on that port. However, the overwhelming majority are Remote Desktop Protocol services.
Total RDP Exposure in the EU
Total exposed RDP services: 416,856
This makes RDP one of the largest exposed remote access surfaces in the EU.
| Country | RDP Services |
|---|---|
| Germany (DE) | 163,826 |
| Netherlands (NL) | 59,333 |
| France (FR) | 52,614 |
| Spain (ES) | 22,606 |
| Italy (IT) | 19,473 |
| Finland (FI) | 17,644 |
| Poland (PL) | 11,762 |
| Czechia (CZ) | 10,315 |
| Sweden (SE) | 8,523 |
| Ireland (IE) | 7,307 |
| Romania (RO) | 4,984 |
| Hungary (HU) | 4,894 |
| Bulgaria (BG) | 4,291 |
| Lithuania (LT) | 4,021 |
| Belgium (BE) | 3,910 |
| Austria (AT) | 3,649 |
| Portugal (PT) | 3,435 |
| Greece (GR) | 2,939 |
| Denmark (DK) | 2,357 |
| Slovakia (SK) | 1,952 |
| Croatia (HR) | 1,877 |
| Latvia (LV) | 1,542 |
| Estonia (EE) | 1,270 |
| Slovenia (SI) | 1,014 |
| Luxembourg (LU) | 616 |
| Cyprus (CY) | 512 |
| Malta (MT) | 186 |
Germany accounts for nearly 40 percent of all EU RDP exposure. The Netherlands ranks second, likely reflecting infrastructure density and hosting presence rather than weaker security.
What Is Actually Running?
| Service | Instances |
|---|---|
| Remote Desktop Protocol | 387,565 |
| nginx | 761 |
| OpenSSH | 365 |
| Hikvision IP Camera | 94 |
| OpenVPN | 39 |
| VNC | 31 |
| MariaDB | 28 |
| MySQL | 13 |
The vast majority are genuine RDP services. The small number of non RDP fingerprints highlights why port based data should always be treated as a snapshot, not perfect protocol validation.
Operating System Breakdown
| Operating System | Instances |
|---|---|
| Windows Server 2022 | 116,126 |
| Windows 10 build 17763 | 72,698 |
| Windows 11 build 26100 | 51,526 |
| Windows 10 build 19041 | 38,785 |
| Windows 10 build 14393 | 37,113 |
| Windows Server 2012 R2 | 12,511 |
| Windows 8.1 build 9600 | 11,339 |
| Windows 7 and Server 2008 R2 family | 1,943+ |
Modern Windows versions dominate the dataset, which is encouraging. However, we still see:
- Windows Server 2008 variants
- Windows 7 systems
- Server 2003 remnants
- Embedded and Linux based systems
Older Windows versions are a red flag. Unsupported operating systems exposed via RDP significantly increase risk.
Is Exposed RDP a Security Problem?
Yes, but with nuance. Unlike SMB or Telnet, RDP does have legitimate public-facing use cases. The issue is that exposed RDP is one of the most attacked services on the internet.
Attack patterns include:
- Automated brute force password attempts
- Credential stuffing
- Exploitation of RDP vulnerabilities (e.g., BlueKeep)
- Ransomware initial access
- Lateral movement after credential compromise
A password only RDP server exposed to the internet is a brute force magnet. Attackers do not manually scan for RDP anymore; botnets do it continuously.
From a Pentester Perspective
In a real world security assessment, severity depends on configuration. RDP becomes a High finding when:
- It is publicly reachable with no IP restrictions
- No multi-factor authentication (MFA) is enforced
- Weak or reused passwords are permitted
- No account lockout policy exists
If we successfully authenticate using weak credentials, default credentials, or credential reuse, the finding becomes Critical. Exposure combined with unsupported systems or serious CVEs compounds risk.
Important Context and Limitations
This analysis is based entirely on Shodan data.
Shodan continuously scans internet facing services, but it does not have full visibility. Some hosts may block Shodan scanners. Others may not yet be indexed at the time of analysis.
These numbers represent observed exposure, not a complete census of all internet exposed RDP services. Remember that a service can be on another port and on this research we focused on the specific ports so thats why visibility is not 100% accurate.
It is reasonable to assume the real number is higher.
Additionally:
- Not every service on port 3389 is guaranteed to be RDP
- OS fingerprinting may not always be exact
- Some systems may be honeypots or research deployments
Exposure does not automatically mean compromise.
But exposure combined with weak configuration significantly increases the likelihood of compromise.
If RDP Must Be Public: Hardening Checklist
1. Restrict Who Can Reach It
- Use firewall allowlisting (limit to specific office/VPN IPs)
- Implement rate limiting
- Consider geo-blocking at the firewall level
2. Enforce Strong Authentication
- Enable Network Level Authentication (NLA)
- Enforce Multi-Factor Authentication (MFA)
- Rename or disable the built-in 'Administrator' account
3. Lock Down Permissions
- Remove unnecessary users from the Administrators group
- Disable local login for service accounts
- Apply Least Privilege principles
4. Add Brute-Force Protection
- Configure strict account lockout policies
- Monitor failed login events (e.g., Event ID 4625)
5. Infrastructure Alternatives
- Deploy an RD Gateway with TLS and MFA
- Prefer VPN or Zero Trust access models over direct exposure
Part of the EU Exposure Series
Read our previous analyses on protocol exposure across the 27 EU member states:
Final Thoughts
416,856 exposed RDP services across the EU represent a substantial remote access surface. RDP is not inherently insecure, but poor configuration makes it a primary target for ransomware and credential-based attacks.
Visibility is the first step. Hardening, monitoring, and strict authentication are what actually reduce risk.