Running netstat -tulpen shows related spice two related instances as 127.0.0.1:5900 and 127.0.0.1:5901 which I assume means that libvirt is only listening on the localhost,
A closer look at the VM settings shows that the defaults we ship with is:
<graphics type="spice" autoport="yes">
<listen type="address"/>
<clipboard copypaste="no"/>
<filetransfer enable="no"/>
<gl enable="no"/>
</graphics>
To have spice listen on all addresses you would have to go out of your way to configure it as so:
<graphics type="spice" autoport="yes" listen="0.0.0.0">
<listen type="address" address="0.0.0.0"/>
<image compression="off"/>
<gl enable="no"/>
</graphics>
Additionally from the manual, you can completely disable listening forcing it to use file descriptors
<graphics type="spice">
<listen type="none"/>
<clipboard copypaste="no"/>
<filetransfer enable="no"/>
<gl enable="no"/>
</graphics>
I am not an expert on how spice is designed but I also assume the coders behind it were competent enough to spin up a separate instance for each VM so no cross VM snooping happens hence the two instances in netstat. I am also concluding they don’t open it up to connections form the whole world. An admin would explicitly select the TLS port and password for authentication to make this happen as documented.
Feel free to contact upstream at the libvir-users mailinglist and see what they have to say. Happy to be corrected if necessary and make the entire linux ecosystem safer in the process.
I recommend scanning the system using another machine as running the scanner on the same machine can give the illusion of it being impacted from a remote party while you were only getting false positives from scanning your whole system’s port ranges from the inside.