The Broadband Guide
SG
search advanced
 Username:
 Password:
Register
 forgot password?

Vulnerable Ports

This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats. We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please . Any feedback and suggestions can also be posted to our Security forum.

 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 |....| 41 
Port(s) Protocol Service Scan level Description
 1494 tcp citrix not scanned Citrix WinFrame. Also uses port 1604 udp.
 1500 tcp applications not scanned NetGuard GuardianPro firewall (NT4-based) Remote Management

IBM Tivoli Storage Manager (TSM) is vulnerable to a buffer overflow, caused by improper bounds checking by the SmExecuteWdsfSession() function. By sending a specially-crafted string to TCP port 1500 during a login attempt, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the TSM service to crash .
References: [CVE-2006-5855], [BID-21440]

Port is also IANA registered for VLSI License Manager
 1501 udp applications not scanned NetGuard GuardianPro firewall (NT4-based) Authentication Client
 1503 tcp Netmeeting not scanned NetMeeting with H323

T.120 Data sharing, CU-SeeMe-CUworld also use port 1503 (TCP/UDP)
 1505 tcp trojan Premium scan FunkProxy
 1509 tcp trojans Premium scan Port used by Psyber Streaming Server - remote access trojan.
 1510 tcp games not scanned Nascar 3
 1513 tcp,udp fujitsu-dtc not scanned Fujitsu Systems Business of America Inc
 1514 tcp,udp fujitsu-dtcns not scanned Fujitsu Systems Business of America Inc
 1521 tcp oracle not scanned Oracle database default listener. Oracle Database Management uses the following ports:
1521 TCP - Oracle SQL Net Listener and Data Guard
1832 TCP - Oracle Enterprise Management Agent HTTP (range 1830-1849)
49896 TCP - Oracle Clusterware (CRS daemon)


Transparent Network Substrate (TNS) Listener in Oracle 9i 9.0.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a single malformed TCP packet to port 1521.
References: [CVE-2002-0509], [BID-4391]

Port is also IANA registered for nCube License Manager
 1524 tcp backdoor Premium scan Many attack scripts install a backdoor shell at this port (especially those against Sun systems via holes in sendmail and RPC services like statd, ttdbserver, and cmsd). Connections to port 600/pcserver also have this problem. [Cert IN-99-04]

Trin00 (DDoS) trojan horse also uses port 1524 (TCP).
 1525 tcp,udp orasrv not scanned Oracle

Archie, Prospero trojans also use this port (TCP).
 1526 tcp not scanned Oracle database common alternative for listener
 1527 tcp,udp tlisrv not scanned Oracle
 1530 tcp applications not scanned The RDS service (rds.exe) in HP Data Protector Manager 6.11 allows remote attackers to cause a denial of service (crash) via a packet with a large data size to TCP port 1530.
References: [CVE-2011-0514]

Port also IANA registered for rap-service
 1533 tcp trojans Premium scan Backdoor.Miffice - remote access trojan, 08.2002. Affects all current Windows versions.

IBM Lotus Sametime is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the Community Services Multiplexer service (StMux.exe). By sending an overly long HTTP request to TCP port 1533, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2008-2499], [BID-29328]

Port is also registered with IANA for: Virtual Places Software
 1534 tcp trojan Premium scan Bizex.Worm
 1547 tcp,udp applications not scanned Laplink
 1558 tcp,udp xingmpeg not scanned Xing StreamWorks
 1560 tcp trojans Premium scan Big Gluck, Duddie
 1561 udp trojan not scanned MuSka52
 1568 tcp trojan Premium scan Remote Hack
 1580 tcp,udp tn-tl-r1 not scanned Buffer overflow in Tivoli Storage Manager TSM (1) Server or Storage Agents 3.1 through 5.1, and (2) the TSM Client Acceptor Service 4.2 and 5.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request to port 1580 or port 1581.
References: [CVE-2002-0541] [BID-4500] [BID-4492]

tn-tl-r1 / tn-tl-r1 (IANA official)
 1581 tcp,udp applications not scanned Cross-site scripting (XSS) vulnerability in the CAD service in IBM Tivoli Storage Manager (TSM) Client 5.3.5.3 and 5.4.1.2 for Windows allows remote attackers to inject arbitrary web script or HTML via HTTP requests to port 1581, which generate log entries in a dsmerror.log file that is accessible through a certain web interface.
References: [CVE-2007-4348] [BID-26221]

Buffer overflow in Tivoli Storage Manager TSM (1) Server or Storage Agents 3.1 through 5.1, and (2) the TSM Client Acceptor Service 4.2 and 5.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request to port 1580 or port 1581.
References: [CVE-2002-0541] [BID-4500] [BID-4492]

Port also IANA registered for MIL-2045-47001.
 1584 tcp applications not scanned Dialpad
 1585 tcp applications not scanned Dialpad
 1599 tcp simbaservices not scanned Use-after-free vulnerability in the socket manager of Impress Remote in LibreOffice 4.x before 4.2.7 and 4.3.x before 4.3.3 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request to TCP port 1599.
References: [CVE-2014-3693]

IANA registered for: simbaservices
 1600 tcp trojans Premium scan Port used by some trojans: Shiva Burka, Backdoor.DirectConnection (remote access trojan, uses ports 1000, 1600-1602)
 1601 tcp trojan Premium scan Direct Connection
 1602 tcp trojan Premium scan Direct Connection
 1604 udp citrix not scanned Citrix WinFrame uses port 1604 UDP and port 1494 TCP.
DarkComet RAT (Remote Administration Tool) uses port 1604 (both TCP and UDP) by default.

 1604 tcp rat Premium scan DarkComet RAT (Remote Administration Tool) uses port 1604 (both TCP and UDP) by default.
ICA Browser
 1609 tcp amp not scanned Numara Asset Manager Platform (AMP) uses the following ports:
1610 - primary AMP port
1611 - communication between console and master server
Other optional ports used by AMP:
1609 - used to calculate available bandwidth for transfer windows
1612 - used by the application kiosk feature
2500 - used for multicast data transfers to agents
5400 - used for remote control only
22,23,25,135-139,445 - used for auto discovery, SSH remote inventory scans, SMB remote inventory
161 - SNMP remote inventory scan
67-69 - relays can be used to avoid opening ports over the wan
 1610 tcp amp not scanned Numara Asset Manager Platform (AMP) uses the following ports:
1610 - primary AMP port
1611 - communication between console and master server
Other optional ports used by AMP:
1609 - used to calculate available bandwidth for transfer windows
1612 - used by the application kiosk feature
2500 - used for multicast data transfers to agents
5400 - used for remote control only
22,23,25,135-139,445 - used for auto discovery, SSH remote inventory scans, SMB remote inventory
161 - SNMP remote inventory scan
67-69 - relays can be used to avoid opening ports over the wan

 1611 tcp applications not scanned Numara Asset Manager Platform (AMP) uses the following ports:
1610 - primary AMP port
1611 - communication between console and master server
Other optional ports used by AMP:
1609 - used to calculate available bandwidth for transfer windows
1612 - used by the application kiosk feature
2500 - used for multicast data transfers to agents
5400 - used for remote control only
22,23,25,135-139,445 - used for auto discovery, SSH remote inventory scans, SMB remote inventory
161 - SNMP remote inventory scan
67-69 - relays can be used to avoid opening ports over the wan


Port also used by: Black and White game
 1612 tcp,udp appliactions not scanned Numara Asset Manager Platform (AMP) uses the following ports:
1610 - primary AMP port
1611 - communication between console and master server
Other optional ports used by AMP:
1609 - used to calculate available bandwidth for transfer windows
1612 - used by the application kiosk feature
2500 - used for multicast data transfers to agents
5400 - used for remote control only
22,23,25,135-139,445 - used for auto discovery, SSH remote inventory scans, SMB remote inventory
161 - SNMP remote inventory scan
67-69 - relays can be used to avoid opening ports over the wan

Port also used by:
NetBill Transaction Server
Video game Black and White (TCP)
 1613 tcp,udp netbill-keyrep not scanned NetBill Key Repository
 1614 tcp,udp netbill-cred not scanned NetBill Credential Server
 1615 tcp,udp netbill-auth not scanned NetBill Authorization Server
 1616 tcp,udp netbill-prod not scanned NetBill Product Server
 1621 tcp,udp softdataphone not scanned A security issue has been reported in Cisco Mobility Services Engine, which can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to the Oracle SSL service misconfiguration and can exploited to bypass the authentication mechanism by connecting to an unprotected port (1621).
References: [CVE-2013-3469], [SECUNIA-54709]

IANA registered for softdataphone
 1626 tcp,udp applications not scanned Robot Rage, Street Fighter Online, Shockwave
 1630 udp games not scanned Europa Universalis III: In Nomine uses ports 1630-1638, developer: Paradox Interactive
 1634 tcp trojan Premium scan NetCrack
 1638 udp games not scanned Europa Universalis III: In Nomine uses ports 1630-1638, developer: Paradox Interactive
 1639 tcp trojans Members scan W32.Bofra.E@mm (11.12.2004) - a mass-mailing worm that exploits the MS Internet Explorer IFRAME vulnerability. Affects all current Windows versions.

Runs as an HTTP server on port 1639/tcp, Attempts to connect to IRC servers on port 6667/tcp.

W32.Bofra.C@mm (11.11.2004) - another variant of the Bofra worm. It opens ports 1639/tcp and 1640/tcp for listening, opens an ident daemon on port 113/tcp, connects to IRC servers on port 6667/tcp.
W32.Bofra.A@mm (11.08.2004).
W32.Bofra.D@mm (11.08.2004).
 1640 tcp trojans Premium scan W32.Bofra.C@mm (11.11.2004) - mass-mailing worm that exploits the MS Internet Explorer IFRAME Vulnerability. Also spreads by sending email to addresses found on the infected computer. It can affect all current Windows versions.

It opens ports 1639/tcp and 1640/tcp for listening, opens an ident daemon on port 113/tcp, connects to IRC servers on port 6667/tcp.
 1641 tcp,udp invision not scanned The Synel SY-780/A Time & Attendance terminal allows remote attackers to cause a denial of service (device hang) via network traffic to port (1) 1641, (2) 3734, or (3) 3735.
References: [CVE-2012-2970]

InVision (IANA official)
 1645 udp RADIUS not scanned RADIUS (Remote Authentication Dial-In User Service, RFC 2865 and RFC 2866) is a freely available distributed security system developed by Lucent Technologies InterNetworking Systems. Lucent has worked with the IETF (Internet Engineering Task Force) to define RADIUS as an interoperable method for distributed security on the Internet. RADIUS was designed based on a previous recommendation from the IETF's Network Access Server Working Requirements Group.

Uses UDP ports 1645 & 1646, or 1812 & 1813.

A vulnerability has been reported in Cisco Secure Access Control Server, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error when parsing EAP-FAST user identities and can be exploited to execute arbitrary commands via specially crafted packets sent to UDP port 1645 or 1812.
References: [CVE-2013-3466], [SECUNIA-54610]
 1646 udp RADIUS not scanned RADIUS (Remote Authentication Dial-In User Service, RFC 2865 and RFC 2866 ) is a freely available distributed security system developed by Lucent Technologies InterNetworking Systems. Lucent has worked with the IETF (Internet Engineering Task Force) to define RADIUS as an interoperable method for distributed security on the Internet. RADIUS was designed based on a previous recommendation from the IETF's Network Access Server Working Requirements Group.

Uses UDP ports 1645 & 1646, or 1812 & 1813.
 1649 tcp applications not scanned IP Failover
 1661 tcp,udp netview-aix-1 not scanned netview-aix-1
 1662 tcp,udp netview-aix-2 not scanned netview-aix-2
 1663 tcp,udp netview-aix-3 not scanned netview-aix-3
 1664 tcp,udp netview-aix-4 not scanned netview-aix-4
 1665 tcp,udp netview-aix-5 not scanned netview-aix-5
 1666 tcp,udp netview-aix-6 not scanned netview-aix-6
 1667 tcp,udp netview-aix-7 not scanned netview-aix-7
 1668 tcp,udp netview-aix-8 not scanned netview-aix-8
 1669 tcp,udp netview-aix-9 not scanned netview-aix-9
 1670 tcp,udp netview-aix-10 not scanned netview-aix-10
 1671 tcp,udp netview-aix-11 not scanned netview-aix-11
 1672 tcp,udp netview-aix-12 not scanned netview-aix-12
 1673 tcp,udp games not scanned TOCA Race Driver 2
 1677 tcp,udp applications not scanned Novell GroupWise clients in client/server access mode
 1680 tcp carboncopy not scanned CarbonCopy
 1681 tcp sd-elmd not scanned Elipse E3 3.x and earlier allows remote attackers to cause a denial of service (application crash and plant outage) via a rapid series of HTTP requests to index.html on TCP port 1681.
References: [CVE-2014-8652]

IANA registered for: sd-elmd (TCP/UDP)
 1687 tcp,udp nsjtp-ctrl not scanned IANA registered for: nsjtp-ctrl
NSJTP stands for HP's Network ScanJet Transfer Protocol
 1688 tcp,udp nsjtp-data not scanned IANA registered for: nsjtp-data
NSJTP stands for HP's Network ScanJet Transfer Protocol.
Port 1688 TCP is also used for Microsoft's KMS Traffic.
 1698 udp rsvp-encap-1 not scanned A vulnerability has been reported in Cisco IOS and IOS XE, that can cause a DoS (Denial of Service). The vulnerability is caused due to an error when handling RSVP packets, which can be exploited to cause a reload of the device by sending a specially crafted RSVP packet to UDP port 1698.
References: [CVE-2014-3354] [SECUNIA-59563]

IANA registered for RSVP-ENCAPSULATION-1
 1700 tcp trojan Premium scan Rux.Tick trojan horse
 1701 tcp vpn Premium scan L2TP VPN (Virtual Private Networking)

See also:
port 500/udp (IPSec IKE)
port 1723/tcp (PPTP)

Unknown vulnerability in the HSQLDB component in JBoss 3.2.1 and 3.0.8 on Java 1.4.x platforms, when running in the default configuration, allows remote attackers to conduct unauthorized activities and possibly execute arbitrary code via certain SQL statements to TCP port 1701 in JBoss 3.2.1, and port 1476 in JBoss 3.0.8.
References: [CVE-2003-0845], [BID-8773]
 1701 udp l2tp not scanned Mac OS X Server VPN service
 1703 tcp trojan Premium scan Exploiter
 1707 tcp,udp applications not scanned Windward Studios
Romtoc Packet Protocol (L2F) & Layer 2 Tunneling Protocol (L2TP) also use this port (TCP)

SalesLogix 6.1 does not verify if a user is authenticated before performing sensitive operations, which could allow remote attackers to execute arbitrary SLX commands on the server or spoof the server via a man-in-the-middle (MITM) attack, or obtain the database password via a GetConnection request to TCP port 1707.
References: [CVE-2004-1611], [BID-11450]
 1711 tcp trojan Premium scan yoyo trojan
 1716 udp games not scanned America's Army

Multiple buffer overflows in the logging function in the Unreal engine, as used by America's Army and America's Army Special Forces 2.8.2 and earlier, when Punkbuster (PB) is enabled, allow remote attackers to cause a denial of service (daemon crash) via a long PB_Y packet to the YPG server on UDP port 1716 or PB_U packet to UCON on UDP port 1716.
References: [CVE-2007-5249]

Port is also IANA registered for xmsg.
 1717 udp games not scanned America's Army
 1718 tcp applications not scanned McAfee E-Business Server could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability in the administration interface. By sending a malformed authentication packet to TCP port 1718, a remote attacker could exploit this vulnerability to cause the application to crash or execute arbitrary code with SYSTEM privileges.
References: [CVE-2008-0127], [BID-27197]

H.323 Multicast Gatekeeper Discover (IANA official)
 1718 udp games not scanned America's Army

H.323 Multicast Gatekeeper Discover (IANA official)
 1719 tcp applications not scanned H.323 Unicast Gatekeeper Signaling (IANA official)
 1720 tcp h323 Premium scan Port most commonly used by Microsoft NetMeeting.
H.323 used for voice-over IP call set-up (H.323 Call Control Signalling, IANA official).
IPContact also uses port 1720 (TCP/UDP)

Unspecified vulnerability in the NAT implementation in Cisco IOS 12.1 through 12.4 and 15.0 through 15.1, and IOS XE 3.1.xSG, allows remote attackers to cause a denial of service (device reload) by sending crafted H.323 packets to TCP port 1720, aka Bug ID CSCth11006.
References: [CVE-2011-3277], [BID-49822]

innovaphone is vulnerable to a denial of service. By sending random data to its H.323 network service on the TCP port 1720, a remote attacker could exploit this vulnerability to cause the system to reboot.
References: [XFDB-111292]
 1723 tcp,udp PPTP Basic scan PPTP VPN (Point-to-Point Tunneling Protocol Virtual Private Networking).

PPTP has a number of known vulnerabilities. It is no longer considered secure, as cracking the initial MS-CHAPv2 authentication can be reduced to the difficulty of cracking a single DES 56-bit key, which can be brute-forced in a short period of time. It is prone to MITM (man in the middle) attacks, where an attacker can capture the handshake and do an offline attack to derive the RC4 key and decrypt the traffic. PPTP is also vulnerable to bit-flipping attacks, i.e. an attacker can modify PPTP packets without possibility of detection. OpenVPN with AES encryption is a much more secure choice.

See also:
port 500/udp (IPSec IKE)
port 1701/tcp (L2TP)
port 1194/udp (OpenVPN)

QNAP NAS uses port 1723/TCP for PPTP VPN. It can also use 1194/UDP (OpenVPN), and a number of other ports, as follows: 80,8081/TCP (web server), 443,8080/TCP (web admin), 20,21,22/TCP (FTP/SSH), 13131/TCP (telnet), 873,8899/TCP (remote replication), 20001/UDP (CloudLink - optional, only required for access without manual port forwarding)

Mac OS X Server VPN service also uses port 1723 (TCP).

The Siemens Gigaset SE361 WLAN router allows remote attackers to cause a denial of service (device reboot) via a flood of crafted TCP packets to port 1723.
References: [CVE-2009-3322] [BID-36366]

SMC Networks Barricade Wireless Cable/DSL Broadband Router SMC7004VWBR allows remote attackers to cause a denial of service via certain packets to PPTP port 1723 on the internal interface.
References: [CVE-2003-0419]

The PPTP implementation in Cisco IOS 12.2 and 15.0 through 15.3, when NAT is used, allows remote attackers to cause a denial of service (device reload) via crafted TCP port-1723 packets, aka Bug ID CSCtq14817.
References: [CVE-2013-5481]
 1726 tcp applications not scanned Air Cam Live
 1728 tcp applications not scanned Air TV
 1729 tcp,udp applications not scanned OKWin uses ports 1729-1735
 1734 tcp,udp applications not scanned IPContact uses ports 1734-1767
 1735 tcp,udp applications not scanned OKWin uses ports 1729-1735
 1741 tcp applications not scanned Multiple buffer overflows in the authentication functionality in the web-server module in Cisco CiscoWorks Common Services before 4.0 allow remote attackers to execute arbitrary code via a session on TCP port 1741, aka Bug ID CSCti41352.
References: [CVE-2010-3036], [BID-44468]

Port also IANA registered for cisco-net-mgmt
 1745 tcp,udp remote-winsock not scanned remote-winsock

The Winsock Proxy service in Microsoft Proxy Server 2.0 and the Microsoft Firewall service in Internet Security and Acceleration (ISA) Server 2000 allow remote attackers to cause a denial of service (CPU consumption or packet storm) via a spoofed, malformed packet to UDP port 1745.
References: [CVE-2003-0110]
 1751 tcp trojans Members scan W32.Loxbot.D (01.06.2006) - a worm that opens a backdoor on the compromised computer. SPreads through AOL Instant Messenger, uses rootkit capabilities to hide its process in memory. Opens a backdoor and listens for remote commands on port 1751/tcp.
 1753 tcp predatar-comms not scanned Predatar Comms Service [Silverstring_Ltd] (IANA official)
 1755 tcp,udp ms-streaming Members scan Port used by Microsoft Media Server (MMS) protocol for Windows Media steaming, Microsoft Media Services, MS NetShow.

1755/tcp is used for accepting incoming MMS client connections and for delivering data packets to clients that are streaming using MMST.
1755/udp used for receiving packet loss information from clients and providing synchronization information to clients that are streaming using MMSU.

See also: ports 554,5004,5005 - Real Time Streaming Protocol (RTSP)
 1761 applications not scanned Novell ZENworks Desktop Management is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the Remote Management Agent within ZenRem32.exe when processing certain version fields. By sending a specially-crafted packet to TCP or UDP port 1761, a remote attacker could overflow a buffer and execute arbitrary code on the system with SYSTEM privileges or cause the application to crash.
References: [XFDB-64025] [XFDB-64026] [BID-45379] [BID-45375]
 1772 tcp,udp trojans Premium scan Backdoor.Netcontrole - remote access trojan, 06.2002. Affects all current Windows versions.

port is also registered with IANA for: EssWeb Gateway
 1777 tcp trojan Premium scan Scarab trojan
 1784 tcp trojan Premium scan Snid X2 trojan
 1791 udp games not scanned NHL 2003
 1792 udp games not scanned NHL 2003
 1795 udp games not scanned Madden NFL 2005, Madden NFL 2006, Madden NFL 07

Vulnerabilities listed: 100 (some use multiple ports)
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About