diff --git a/scripts/realvnc-auth-bypass.nse b/scripts/realvnc-auth-bypass.nse
index 735e8f333..2abbf34cf 100644
--- a/scripts/realvnc-auth-bypass.nse
+++ b/scripts/realvnc-auth-bypass.nse
@@ -1,5 +1,6 @@
 local nmap = require "nmap"
 local shortport = require "shortport"
+local vulns = require "vulns"
 
 description = [[
 Checks if a VNC server is vulnerable to the RealVNC authentication bypass
@@ -10,29 +11,52 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
 
 ---
 -- @see vnc-brute.nse
+-- @see vnc-title.nse
 --
 -- @output
 -- PORT     STATE SERVICE VERSION
 -- 5900/tcp open  vnc     VNC (protocol 3.8)
 -- |_realvnc-auth-bypass: Vulnerable
 
-categories = {"auth", "default", "safe"}
+categories = {"auth", "safe", "vuln"}
 
 
-portrule = shortport.port_or_service(5900, "vnc")
+portrule = shortport.port_or_service({5900,5901,5902}, "vnc")
 
 action = function(host, port)
   local socket = nmap.new_socket()
   local result
   local status = true
 
+  local vuln = {
+    title = "RealVNC 4.1.0 - 4.1.1 Authentication Bypass",
+    IDS = { CVE = "CVE-2006-2369" },
+    risk_factor = "High",
+    scores = {
+      CVSSv2 = "7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)",
+    },
+    description = [[
+RealVNC 4.1.1, and other products that use RealVNC such as AdderLink IP and
+Cisco CallManager, allows remote attackers to bypass authentication via a
+request in which the client specifies an insecure security type such as
+"Type 1 - None", which is accepted even if it is not offered by the server.]],
+    references = {
+      'http://www.intelliadmin.com/index.php/2006/05/security-flaw-in-realvnc-411/',
+    },
+    dates = {
+      disclosure = {year = '2006', month = '05', day = '08'},
+    },
+    state = vulns.STATE.NOT_VULN,
+  }
+  local report = vulns.Report:new(SCRIPT_NAME, host, port)
+
   socket:connect(host, port)
 
   status, result = socket:receive_lines(1)
 
   if (not status) then
     socket:close()
-    return
+    return report:make_output(vuln)
   end
 
   socket:send("RFB 003.008\n")
@@ -40,7 +64,7 @@ action = function(host, port)
 
   if (not status or result ~= "\001\002") then
     socket:close()
-    return
+    return report:make_output(vuln)
   end
 
   socket:send("\001")
@@ -48,10 +72,17 @@ action = function(host, port)
 
   if (not status or result ~= "\000\000\000\000") then
     socket:close()
-    return
+    return report:make_output(vuln)
   end
 
-  socket:close()
+  -- VULNERABLE!
+  vuln.state = vulns.STATE.VULN
 
-  return "Vulnerable"
+  socket:close()
+  -- Cache result for other scripts to exploit.
+  local reg = host.registry[SCRIPT_NAME] or {}
+  reg[port.number] = true
+  host.registry[SCRIPT_NAME] = reg
+
+  return report:make_output(vuln)
 end