The Broadband Guide
SG
search advanced

Vulnerable Ports

This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats. We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please . Any feedback and suggestions can also be posted to our Security forum.

 1 |....| 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 |....| 54 
Port(s) Protocol Service Scan level Description
 2977 tcp,udp ttc-etap-ns not scanned TTCs Enterprise Test Access Protocol - NS
 2978 tcp,udp ttc-etap-ds not scanned TTCs Enterprise Test Access Protocol - DS
 2968 tcp,udp enpp not scanned Epson software update tool (EEventMan, MacOS)
Rtvscan (Symantec Antivirus) for Novell NetWare servers

SDBot trojan [Symantec-2002-051312-3628-99]

ENPP (IANA official)
 2964 tcp,udp bullant-srap not scanned BULLANT SRAP
 2965 tcp,udp bullant-rap not scanned BULLANT RAP
 2962 tcp,udp iph-policy-cli not scanned IPH-POLICY-CLI
 2963 tcp,udp iph-policy-adm not scanned IPH-POLICY-ADM
 2953 tcp,udp ovalarmsrv not scanned OVALARMSRV
 2954 tcp,udp ovalarmsrv-cmd not scanned Integer overflow in ovalarmsrv.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via a crafted command to TCP port 2954, which triggers a heap-based buffer overflow.
References: [CVE-2008-2438], [BID-34738]

Multiple stack-based buffer overflows in ovalarmsrv in HP OpenView Network Node Manager (OV NNM) 7.51, and possibly 7.01, 7.50, and 7.53, allow remote attackers to execute arbitrary code via a long (1) REQUEST_SEV_CHANGE (aka number 47), (2) REQUEST_SAVE_STATE (aka number 61), or (3) REQUEST_RESTORE_STATE (aka number 62) request to TCP port 2954.
References: [CVE-2008-3544] [BID-28668] [SECUNIA-31688]

Port is also IANA registered for OVALARMSRV-CMD.
 2916 tcp,udp elvin_server not scanned Elvin Server
 2917 tcp,udp elvin_client not scanned Elvin Client
 2930 tcp,udp amx-weblinx not scanned PANJA-WEBLINX
IANA registered for: AMX-WEBLINX
 2874 tcp,udp dxmessagebase1 not scanned DX Message Base Transport Protocol
 2875 tcp,udp dxmessagebase2 not scanned DX Message Base Transport Protocol
 2869 tcp,udp icslap Members scan Microsoft Internet Connection Firewall (ICF), Internet Connection Sharing (ICS), SSDP Discover Service, Microsoft Universal Plug and Play (UPnP), Microsoft Event Notification

IANA registered for: ICSLAP
 2860 tcp,udp dialpad-voice1 not scanned Dialpad Voice 1
 2861 tcp,udp dialpad-voice2 not scanned Dialpad Voice 2
 2844 tcp,udp bpcp-poll not scanned BPCP POLL
 2845 tcp,udp bpcp-trap not scanned BPCP TRAP
 2834 tcp,udp evtp not scanned EVTP
 2835 tcp,udp evtp-data not scanned EVTP-DATA
 2832 tcp,udp silkp4 not scanned Media Streaming, Live Blogging Sametime 751 (peer-to-peer video feed), FlashFXP

IANA registered for: silkp4
 2823 tcp,udp cqg-netlan not scanned CQG Net/LAN
 2824 tcp,udp cqg-netlan-1 not scanned CQG Net/LAN 1
 2816 tcp,udp lbc-watchdog not scanned The Guild 2, Microsoft Robotics - Visual Simulation Environment
IANA registered for: LBC Watchdog
 2815 tcp,udp lbc-measure not scanned LBC Measurement
 2813 tcp,udp llm-pass not scanned llm-pass
 2814 tcp,udp llm-csv not scanned llm-csv
 2779 tcp,udp lbc-sync not scanned LBC Sync
 2780 tcp,udp lbc-control not scanned LBC Control
 2747 tcp,udp fjippol-swrly not scanned fjippol-swrly
 2776 tcp,udp ridgeway1 not scanned Ridgeway Systems & Software
 2777 tcp,udp ridgeway2 not scanned Ridgeway Systems & Software
 2748 tcp,udp fjippol-polsvr not scanned The Computer Telephony Integration (CTI) Manager service in Cisco Unified Communications Manager (CUCM) 5.x and 6.x allows remote attackers to cause a denial of service (TSP crash) via malformed network traffic to TCP port 2748.
References: [CVE-2008-2061], [BID-29933]

Port is also IANA registered for fjippol-polsvr.
 2749 tcp,udp fjippol-cnsl not scanned fjippol-cnsl
 2741 tcp,udp tsb not scanned TSB
 2742 tcp,udp tsb2 not scanned TSB2
 2727 tcp,udp mgcp-callagent not scanned Media Gateway Control Protocol Call Agent

ShoreTel IP Telephony system uses the following ports
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag)
 2427 tcp,udp mgcp-gateway not scanned ShoreTel IP Telephony system uses the following ports:
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag)

Media Gateway Control Protocol Gateway (IANA official)
 2717 tcp,udp pn-requester not scanned PN REQUESTER
 2718 tcp,udp pn-requester2 not scanned PN REQUESTER 2

The Prayer 2 trojan horse also uses port 2718 (TCP).
 2677 tcp,udp gadgetgate1way not scanned Gadget Gate 1 Way
 2678 tcp,udp gadgetgate2way not scanned Gadget Gate 2 Way
 2664 tcp,udp patrol-mq-gm not scanned Patrol for MQ GM
 2665 tcp,udp patrol-mq-nm not scanned Patrol for MQ NM
 2657 tcp,udp sns-dispatcher not scanned SNS Dispatcher
 2658 tcp,udp sns-admin not scanned SNS Admin
 2659 tcp,udp sns-query not scanned SNS Query
 2656 tcp,udp kana not scanned ICQ P2P, SQL Remote Connection
IANA registered for: Kana
 2621 tcp,udp miles-apart not scanned Oracle Procedural Gateway
IANA registered for: Miles Apart Jukebox Server
 2601 tcp,udp discp-client not scanned zebra vty
IANA registered for: discp client

McAfee Network Threat Behavior Analysis could allow a remote attacker from within the local network to gain elevated privileges on the system, caused by an error related to the default configuration in the Zebra service. By connecting to port 2601 with telnet, an attacker could exploit this vulnerability to gain unrestricted root access to the machine.
References: [XFDB-85937] [BID-61420]
 2602 tcp,udp discp-server not scanned RIPd vty
IANA registered for: discp server
 2598 tcp,udp citriximaclient not scanned Citrix NetScaler gateway XenDesktop/XenApp VDA uses port 2598 TCP/UDP for access to applications and virtual desktops by ICA/HDX with Session Reliability.

new ICA - when Session Reliability is enabled, TCP port 2598 replaces port 1494

IANA registered for: Citrix MA Client
 2595 tcp,udp worldfusion1 not scanned World Fusion 1
 2596 tcp,udp worldfusion2 not scanned World Fusion 2
 2581 tcp,udp argis-te not scanned ARGIS TE
 2582 tcp,udp argis-ds not scanned ARGIS DS
 2546 tcp,udp vytalvaultbrtp not scanned vytalvaultbrtp
 2547 tcp,udp vytalvaultvsmp not scanned vytalvaultvsmp
 2548 tcp,udp vytalvaultpipe not scanned vytalvaultpipe
 2512 tcp,udp citrixima not scanned Citrix IMA uses port 2512 TCP (IANA registered).

Buffer overflow in the Independent Management Architecture (IMA) service in Citrix Presentation Server (MetaFrame Presentation Server), Access Essentials and Desktop Server 1.0 allows remote attackers to execute arbitrary code via an invalid size value in a packet to TCP port 2512 or 2513.
References: [CVE-2008-0356], [BID-27329]
 2513 tcp,udp citrixadmin not scanned Citrix Management Console uses port 2513 TCP. FMA based platforms 7.5 and later do not use the port.

Port is IANA registered for Citrix ADMIN

Buffer overflow in the Independent Management Architecture (IMA) service in Citrix Presentation Server (MetaFrame Presentation Server), Access Essentials and Desktop Server 1.0 allows remote attackers to execute arbitrary code via an invalid size value in a packet to TCP port 2512 or 2513.
References: [CVE-2008-0356], [BID-27329]
 2500 tcp,udp rtsserv Premium scan Numara Asset Manager Platform (AMP) uses the following ports:
1610 - primary AMP port
1611 - communication between console and master server
Other optional ports used by AMP:
1609 - used to calculate available bandwidth for transfer windows
1612 - used by the application kiosk feature
2500 - used for multicast data transfers to agents
5400 - used for remote control only
22,23,25,135-139,445 - used for auto discovery, SSH remote inventory scans, SMB remote inventory
161 - SNMP remote inventory scan
67-69 - relays can be used to avoid opening ports over the wan

IPContact

TheosMessenger, TheosNet-Admin uses these ports:
2500/tcp, 2501/tcp - listening for client connections
43047/tcp, 43048/tcp - service ports


Macromedia Sitespring 1.2.0 (277.1) using Sybase runtime engine 7.0.2.1480 allows remote attackers to cause a denial of service (crash) via a long malformed request to TCP port 2500, possibly triggering a buffer overflow.
References: [BID-5132], [CVE-2002-1026], [XFDB-9458]

IANA registered for: Resource Tracking system server
 2501 tcp,udp rtsclient not scanned TheosMessenger, TheosNet-Admin uses these ports:
2500/tcp, 2501/tcp - listening for client connections
43047/tcp, 43048/tcp - service ports




IANA registered for: Resource Tracking system client
 2499 tcp,udp unicontrol not scanned gBox, CWShare
IANA registered for: UniControl
 2486 tcp,udp netobjects2 not scanned Net Objects2
 2481 tcp,udp giop not scanned Oracle GIOP
 2482 tcp,udp giop-ssl not scanned Oracle GIOP SSL
 2465 tcp,udp lbm not scanned Load Balance Management
 2466 tcp,udp lbf not scanned Load Balance Forwarding
 2402 tcp,udp taskmaster2000 not scanned TaskMaster 2000 Server
 2403 tcp,udp taskmaster2000 not scanned TaskMaster 2000 Web
 2425 tcp,udp fjitsuappmgr not scanned Telnet, IP Messenger for Windows
IANA registered for: Fujitsu App Manager
 2432 tcp,udp codasrv not scanned codasrv
 2433 tcp,udp codasrv-se not scanned codasrv-se
 2938 tcp,udp sm-pas-1 not scanned SM-PAS-1
 2939 tcp,udp sm-pas-2 not scanned SM-PAS-2
 2940 tcp,udp sm-pas-3 not scanned SM-PAS-3
 2941 tcp,udp sm-pas-4 not scanned SM-PAS-4
 48556 tcp,udp com-bardac-dw not scanned com-bardac-dw, drive.web AC/DC Drive Automation and Control Networks
 47000 tcp,udp mbus not scanned Message Bus
 41666 tcp,udp trojan Premium scan Remote Boot trojan
 31338 tcp,udp trojans Premium scan Back Orifice, ButtFunnel, DeepBO, NetSpy DK trojans
 20432 tcp,udp ddos not scanned Shaft (DDoS)
 10100 tcp,udp trojans not scanned Backdoor.Ranky.O [Symantec-2004-122417-2948-99], Control Total, GiFt trojan, Scalper, Slapper

Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contain a vulnerability in which the Device-status service listens on port 10100/ UDP by default. The service accepts the unverified UDP packets and deserializes the content, which could allow an unauthenticated attacker to remotely execute arbitrary code.
References: [CVE-2023-1133]
 7424 tcp,udp trojan not scanned Host Control trojan
 49683 tcp,udp trojan not scanned Fenster trojan (a.k.a. Trojan.Win32.Fenster, Backdoor.Fenster.21)
 2989 tcp,udp trojan not scanned Rat 1.2, Backdoor.Brador.A [Symantec-2004-080516-3455-99]
 2115 tcp,udp kdm Premium scan MIS Department

Trojan Bugs also uses port 2115 (TCP)

IANA registered for: Key Distribution Manager
 1313 tcp,udp bmc-patroldb Premium scan NETrojan uses port 1313 (TCP).

Backdoor.Win32.Pahador.aj / Authentication Bypass RCE - the malware listens on TCP ports 1313 and 21. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0393]

BMC_PATROLDB (IANA official)
 1207 tcp,udp trojan Premium scan SoftWAR trojan

Commandos 3: Destination Berlin also uses this port (UDP).
 1183 tcp,udp trojans Members scan Balistix is a backdoor Trojan affecting Microsoft Windows operating systems. The backdoor uses a client/server relationship, where the server component is installed in the victim's system and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 1183, to allow the client system to connect. Balistix could allow a remote attacker to gain unauthorized access to the system.
References: [XFDB-15148]

Trojans that also use this port: Cyn, SweetHeart
 1044 tcp,udp trojan not scanned Ptakks
 815 tcp,udp trojan not scanned Everyone's Darling trojan horse
 61747 tcp,udp trojan not scanned KiLo trojan - listens on ports 50829,61746,61747,61748. May be related to Backdoor.KiLo [Symantec-2003-021319-1815-99] that uses ports 6711, 6718.
 61746 tcp,udp trojan not scanned KiLo trojan - listens on ports 50829,61746,61747,61748. May be related to Backdoor.KiLo [Symantec-2003-021319-1815-99] that uses ports 6711, 6718.
 50829 tcp,udp trojan not scanned KiLo trojan [Symantec-2003-021319-1815-99]

Backdoor.Win32.BirdSpy.b / Weak Hardcoded Credentials - the malware listens on TCP port 50829. Authentication is required, however the password "ccbird" is weak and hardcoded in the PE file.
References: [MVID-2022-0523]
 47785 tcp,udp trojan not scanned KiLo trojan [Symantec-2003-021319-1815-99]
 46666 tcp,udp trojan not scanned Taskman trojan
 44767 tcp,udp trojan not scanned School Bus trojan

Vulnerabilities listed: 100 (some use multiple ports)
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About