WinVNC 3.3.3 and earlier generates the same challenge string for multiple connections, which allows remote attackers to bypass VNC authentication by sniffing the challenge and response of other users.
https://exchange.xforce.ibmcloud.com/vulnerabilities/5992
http://www1.corest.com/common/showdoc.php?idxseccion=10&idx=117