The Broadband Guide
SG
search advanced
 Username:
 Password:
Register
 forgot password?

Vulnerable Ports

This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats. We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please . Any feedback and suggestions can also be posted to our Security forum.

 1 | 2 | 3 | 4 | 5 | 6 |....| 41 
Port(s) Protocol Service Scan level Description
 593 tcp Members scan MS Security Bulletin [MS03-026] outlines a critical Buffer Overrun RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.
 1338 tcp Premium scan Millenium Worm, affects Unix/Linux.
 511 tcp Premium scan Part of rootkit t0rn, a program called "leeto's socket daemon" runs at this port.
 0 tcp,udp not scanned This port is technically illegal, but possible. It is often used to fingerprint machines, because different operating systems respond to this port in different ways.
 3872 tcp not scanned Oracle Management Remote Agent
 1526 tcp not scanned Oracle database common alternative for listener
 7308 tcp Premium scan NetMonitor trojan (a.k.a. NetSpy, NTMonitor, BackDoor-E.srv., Backdoor.Netspy, Backdoor.NetMonitor)
 28 tcp Premium scan AltaVista Firewall97 accepts connections on ports 26,27,28 and 29, this can be used to fingerprint the type of firewall in use.


Amanda trojan uses port 28/tcp.
 6180 tcp Premium scan Common Port for phishing scam sites
 41014 tcp not scanned The Johnson Controls CK721-A controller with firmware before SSM4388_03.1.0.14_BB allows remote attackers to perform arbitrary actions via crafted packets to TCP port 41014 (aka the download port).
References: [CVE-2012-2607]
 61460 tcp not scanned An unspecified API on Cisco TelePresence Immersive Endpoint Devices before 1.9.1 allows remote attackers to execute arbitrary commands by leveraging certain adjacency and sending a malformed request on TCP port 61460, aka Bug ID CSCtz38382.
References: [CVE-2012-3074]
 5492 tcp,udp not scanned Soti Pocket Controller-Professional 5.0 allows remote attackers to turn off, reboot, or hard reset a PDA via a series of initialization, command, and reset packets sent to port 5492.
References: [CVE-2005-4152] [BID-15775] [SECUNIA-17966]
 9833 udp not scanned Telindus 1100 series ADSL router allows remote attackers to gain privileges to the device via a certain packet to UDP port 9833, which generates a reply that includes the router's password and other sensitive information in cleartext.
References: [CVE-2002-0949] [BID-4946]
 9099 tcp not scanned HP Laserjet printers with JetDirect cards, when configured with TCP/IP, allow remote attackers to bypass print filters by directly sending PostScript documents to TCP ports 9099 and 9100.
References: [CVE-1999-1062]
 7074 tcp,udp not scanned Multiple directory traversal vulnerabilities in Bitdefender GravityZone before 5.1.11.432 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the id parameter to webservice/CORE/downloadFullKitEpc/a/1 in the Web Console or (2) %2E%2E (encoded dot dot) in the default URI to port 7074 on the Update Server.
References: [CVE-2014-5350]
 51410 tcp not scanned VDG Security SENSE (formerly DIVA) 2.3.13 sends the user database when a user logs in, which allows remote authenticated users to obtain usernames and password hashes by logging in to TCP port 51410 and reading the response.
References: [CVE-2014-9577]
 15998 udp 2ping not scanned IANA registered for: 2ping Bi-Directional Ping Service
 48049 tcp,udp 3gpp not scanned 3GPP Cell Broadcast Service Protocol
 8550 tcp,udp 4psa not scanned Primary/Master 4PSA DNS Manager server - http://www.4psa.com/
Port is used for master/slave connection between servers, also uses ports 53 and 953 tcp/udp.
 1027 udp 6a44 not scanned IPv6 Behind NAT44 CPEs [IESG] (IANA official) [RFC 6751]
 4598 tcp,udp a16-an-an not scanned A16 (AN-AN)
 4599 tcp,udp a17-an-an not scanned A17 (AN-AN)
 4502 tcp a25-fap-fgw not scanned Multiple Cogent products are vulnerable to a denial of service, caused by a NULL pointer dereference when handling formatted text commands. By sending a specially-crafted command containing a backslash to TCP ports 4502 or 4503, a remote attacker could exploit this vulnerability to cause the application to crash.
References: [XFDB-83280], [BID-58910]

A25 (FAP-FGW) [ThreeGPP2] (SCTP, IANA official)
 28119 udp a27-ran-ran not scanned A27 cdma2000 RAN Management [ThreeGPP2] (IANA official)
 674 tcp ACAP Premium scan ACAP -- Application Configuration Access Protocol

References: RFC2244, RFC2595, RFC2636
 6868 udp acctopus-st not scanned Acctopus Status
 6969 tcp acmsoda Members scan Backdoor.Assasin.D trojan - opens a backdoor on one of the following ports: 5695,6595,6969,27589. Backdoor.Assasin opens port 27589, Backdoor.Assasin.B opens port 6969, Backdoor.Assasin.C opens port 6595, and Backdoor.Assasin.D opens port 5695 to listen for commands from the attacker.

Other trojans that use this port: GateCrasher, IRC 3/IRC Hack, Net Controller, Priority, Danton, 2000Cracks
 3823 tcp,udp acp-conduit not scanned Compute Pool Conduit
 3822 tcp,udp acp-discovery not scanned Compute Pool Discovery
 3824 tcp,udp acp-policy not scanned Compute Pool Policy
 7509 tcp acplt not scanned IANA registered for: ACPLT - process automation service
 5103 tcp actifio-c2c not scanned IANA registered for: Actifio C2C
 61616 tcp,udp activemq not scanned Apache ActiveMQ, Java Message Service (JMS)

Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance 8.6 and 9.x before 9.2(1) allows remote attackers to cause a denial of service (memory consumption) via a flood of TCP packets to port (1) 61615 or (2) 61616, aka Bug ID CSCtz90114.
References: [CVE-2013-3389]
 64320 tcp,udp activepdf not scanned Port used by ActivePDF software - automates PDF generation process from different sources, such as a website

ActivePDF WebGrabber - port 64320
ActivePDF Server - port 53535
ActivePDF DocConverter - port 53540 and port 53541
 53535,53540,53541 tcp,udp activepdf not scanned Port used by ActivePDF software - automates PDF generation process from different sources, such as a website

ActivePDF WebGrabber - port 64320
ActivePDF Server - port 53535
ActivePDF DocConverter - port 53540 and port 53541
 6350 tcp,udp adap not scanned App Discovery and Access Protocol
 34570 udp adaptec not scanned Adaptec Storage Manager
 7508 tcp adcp not scanned Automation Device Configuration Protocol [Festo AG] (IANA official)
 8800 tcp address book not scanned Apple Address Book (Mac OS X Server v10.6 and later)

Sun Java System Web Server could allow a remote attacker to execute arbitrary code on the system, caused by a format string error in the WebDAV functionality. By sending a specially-crafted HTTP request on TCP port 8800 containing malicious format specifiers, a remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause the webservd process to crash.
References: [XFDB-55812], [BID-37910]
 7935 tcp adobe not scanned Fixed port used for Adobe Flash Debug Player to communicate with a debugger (Flash IDE, Flex Builder or fdb).
 3703 tcp,udp adobeserver-3 not scanned Adobe Server 3
 3704 tcp,udp adobeserver-4 not scanned Adobe Server 4
 3705 tcp,udp adobeserver-5 not scanned Adobe Server 5
 5913 tcp,udp,sctp ads-c not scanned Automatic Dependent Surveillance [Eivan_Cerasi] (IANA official)
 8060 udp aero not scanned Asymmetric Extended Route Optimization (AERO) [IESG] [RFC 6706] (IANA official)
 7107 udp aes-x170 not scanned IANA registered for: AES-X170
 8202 udp aesop not scanned Audio+Ethernet Standard Open Protocol [POWERSOFT SRL] (IANA official)
 4362 udp afore-vdp-disc not scanned IANA registered for: AFORE vNode Discovery protocol
 548 tcp afpovertcp not scanned AppleShare, Personal File Sharing, Apple File Service

ExtremeZ-IP.exe in ExtremeZ-IP File and Print Server 5.1.2x15 and earlier allows remote attackers to cause a denial of service (daemon crash) via an invalid UAM field in a request to the Apple Filing Protocol (AFP) service on TCP port 548.
References: [CVE-2008-0759], [BID-27718]

Novell Netware is vulnerable to a denial of service, caused by a NULL pointer dereference in the AFPTCP.nlm module. By sending a specially-crafted AFP request to TCP port 548, a remote attacker could exploit this vulnerability to cause the application to crash.
References: [CVE-2010-0317], [XFDB-55389], [BID-37616], [OSVDB-61604]
 7000 tcp afs-fileserver Members scan afs fileserver

Command and Conquer Renegade and Rumble Fighter (TCP/UDP) also use this port.

W32.Gaobot.BQJ (11.08.2004) - network-aware worm taht opens a backdoor and can be controlled via IRC. It can affect all current Windows versions. Connects to an IRC server on port 7000/tcp.
W32.Mydoom.BQ@mm (05.11.2005) - mass-mailing worm with backdoor capabilities, that uses its own SMTP engine. It communicates with an IRC server and listens for remote commands on port 7000/tcp.

W32.Mytob.GC@mm (06.30.2005) - mass-mailing worm that opens a backdoor on port 7000/tcp.

Some older trojan horses/backdoors that also use this port: Exploit Translation Server, Kazimas, Remote Grab, SubSeven

The control-plane access-list implementation in Cisco IPS Software before 7.1(8p2)E4 and 7.2 before 7.2(2)E4 allows remote attackers to cause a denial of service (MainApp process outage) via crafted packets to TCP port 7000, aka Bug ID CSCui67394.
References: [CVE-2014-0719], [BID-65667], [XFDB-91195]

The game Aliens vs Predator 2 uses ports 7000-10000 (TCP)
 7001 tcp,udp afs3-callback Premium scan Callback To Cache Manager, MSN Messenger

Command and Conquer Renegade also uses this port (TCP).

Trojans that use this port: Freak2k, Freak88, NetSnooper Gold.

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
References: [CVE-2015-4852]
 7006 tcp,udp afs3-errors not scanned RealAudio, Error interpretation service, BMC Software CONTROL-M/Server and CONTROL-M/AgentServer-to-Agent, City of Heroes, City of Villains

Trojan.JBosser opens command and control communication on port 7006.
 7004 tcp,udp afs3-kaserver not scanned AFS/Kerberos authentication service, City of Heroes, City of Villains, RealAudio
 7002 tcp,udp afs3-pserver not scanned users & groups database

Command and Conquer Renegade also uses this port (TCP).
 7003 tcp,udp afs3-vlserver not scanned Volume location database, City of Heroes, City of Villains, RealAudio

MA Lighting Technology grandMA onPC is vulnerable to a denial of service, caused by an error when processing socket connection negotiation. By sending a single malicious packet to TCP port 7003, an attacker could exploit this vulnerability to cause the device to crash.
References: [BID-66645], [XFDB-92300]
 7005 tcp,udp afs3-volser not scanned Volume managment server, City of Heroes, City of Villains, RealAudio, BMC Control-M/Server, BMC Control-M/Agent, Oracle HTTP
 705 tcp agentx not scanned RealNetworks Helix Server is vulnerable to a denial of service, caused by an error in the SNMP Master Agent process (master.exe). By establishing and immediately closing a TCP connection on port 705, a remote attacker could exploit this vulnerability to cause the service to terminate.
References: [XFDB-74674], [BID-52929]

IANA registered for: AgentX
 17555 tcp ailith not scanned Ailith management of routers (IANA official)
 5190 tcp,udp aim Members scan ICQ, AIM (AOL Instant Messenger), Apple iChat

Malicious services using this port: MBomber, W32.hllw.anig

AOL Instant Messenger (AIM) allows remote attackers to steal files that are being transferred to other clients by connecting to port 4443 (Direct Connection) or port 5190 (file transfer) before the intended user.
References: [CVE-2002-0592], [BID-4574]

Trojan.Kalshi (2003.10.10) - a trojan program that is designed to allow spammers to anonymously send email spam via a compromised system. The trojan may install a rootkit (MCID 1300) to obscure its activities.

W32.HLLW.Anig (2004.01.28) - a worm that propagates over network shares. The worm also contains a keylogger and backdoor component.
 5191 tcp,udp aim not scanned ICQ, AIM (AOL Instant Messenger)
 5192 tcp,udp aim not scanned ICQ, AIM (AOL Instant Messenger)
 5193 tcp,udp aim not scanned ICQ, AIM (AOL Instant Messenger)
 4804 udp aja-ntv4-disc not scanned AJA ntv4 Video System Discovery
 8007 tcp ajp12 not scanned Apache JServ Protocol v12

Apache Tomcat before 5.x allows remote attackers to cause a denial of service (application crash) via a crafted AJP12 packet to TCP port 8007.
References: [CVE-2005-0808], [BID-12795]
 16003 udp alfin not scanned IANA registered for: Automation and Control by REGULACE.ORG
 9956 udp alljoyn not scanned Alljoyn Name Service [Qualcomm Innovation Center] (IANA official)
 9955 udp alljoyn-mcm not scanned Contact Port for AllJoyn multiplexed constrained messages [Qualcomm Innovation Center] (IANA official)
 9955 tcp alljoyn-stm not scanned Contact Port for AllJoyn standard messaging [Qualcomm Innovation Center] (IANA official)
 50200 tcp,udp altiris-wol not scanned Symantec Altiris Notification and Task Server WOL magic packets use this port.
 35355 tcp altova-lm not scanned Altova License Management
 35355 udp altova-lm-disc not scanned Altova License Management Discovery
 4563 tcp amahi-anywhere not scanned Amahi Anywhere - an app to locally and remotely (via an SSL-secured service, provided by Amahi) access, browse and stream files from your server [Amahi] (IANA official)
 5506 tcp,udp amc not scanned Amcom Mobile Connect
 8766 tcp,udp amcs not scanned Agilent Connectivity Service - Agilent Technologies Inc (IANA official)

Breach game (UDP)
 1610 tcp amp not scanned Numara Asset Manager Platform (AMP) uses the following ports:
1610 - primary AMP port
1611 - communication between console and master server
Other optional ports used by AMP:
1609 - used to calculate available bandwidth for transfer windows
1612 - used by the application kiosk feature
2500 - used for multicast data transfers to agents
5400 - used for remote control only
22,23,25,135-139,445 - used for auto discovery, SSH remote inventory scans, SMB remote inventory
161 - SNMP remote inventory scan
67-69 - relays can be used to avoid opening ports over the wan

 1609 tcp amp not scanned Numara Asset Manager Platform (AMP) uses the following ports:
1610 - primary AMP port
1611 - communication between console and master server
Other optional ports used by AMP:
1609 - used to calculate available bandwidth for transfer windows
1612 - used by the application kiosk feature
2500 - used for multicast data transfers to agents
5400 - used for remote control only
22,23,25,135-139,445 - used for auto discovery, SSH remote inventory scans, SMB remote inventory
161 - SNMP remote inventory scan
67-69 - relays can be used to avoid opening ports over the wan
 8040 tcp,udp ampify not scanned Ampify Messaging Protocol
ScreenConnect uses port 8040 (TCP)
 5195 tcp ampl-lic not scanned The protocol is used by a license server and client programs to control use of program licenses that float to networked machines [AMPL Optimization] (IANA official)
 5196 tcp ampl-tableproxy not scanned The protocol is used by two programs that exchange "table" data used in the AMPL modeling language [AMPL Optimization] (IANA official)
 5672 tcp,udp,sctp amqp not scanned Advanced Message Queueing Protocol, see http://www.amqp.org
Also used by: MOHAA Reverend
 2268 tcp,udp amt not scanned AMT (IANA official) [RFC 7450]
 4712 tcp amule not scanned aMule internal connection port - used to communicate aMule with other applications such as aMule WebServer or aMuleCMD.
 2929 tcp amx-webadmin Premium scan Trojans using this port: Konik

IANA registered for: AMX-WEBADMIN (PANJA-WEBADMIN)
 2930 tcp,udp amx-weblinx not scanned PANJA-WEBLINX
IANA registered for: AMX-WEBLINX
 6588 tcp analogx Premium scan Port used by AnalogX proxy server. Common web proxy server ports: 8080, 80, 3128, 6588

Buffer overflows in AnalogX Proxy before 4.12 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP request to TCP port 6588 or a SOCKS 4A request to TCP port 1080 with a long DNS hostname.
References: [CVE-2002-1001] [BID-5139]

Buffer overflow in AnalogX Proxy 4.13 allows remote attackers to execute arbitrary code via a long URL to port 6588.
References: [CVE-2003-0410] [BID-7681]
 5228 tcp,udp android not scanned Port 5228 is used by the Google Playstore (Android market). Google talk also uses ports 443, 5222 and 5228. Google Chrome user settings sync (facorites, history, passwords) uses port 5228.
 3338 tcp,udp anet-b not scanned OMF data b
 3341 tcp,udp anet-h not scanned OMF data h
 3339 tcp,udp anet-l not scanned OMF data l
 3340 tcp,udp anet-m not scanned OMF data m
 47806 tcp,udp ap not scanned ALC Protocol
 2160 tcp,udp apc-2160 not scanned APC 2160
 2161 tcp,udp apc-2161 not scanned APC 2161
 5455 tcp,udp apc-5455 not scanned APC 5455 [American Power Conve] (IANA official)
 5456 tcp,udp apc-5456 not scanned APC 5455 [American Power Conve] (IANA official)
 6547 tcp,udp apc-6547 not scanned APC 6547 [American Power Conversion] (IANA official)
 6548 tcp,udp apc-6548 not scanned APC 6548 [American Power Conversion] (IANA official)
 6549 tcp,udp apc-6549 not scanned APC 6549 [American Power Conversion] (IANA official)
 7846 tcp,udp apc-7846 not scanned APC 7846 [American Power Conversion] (IANA official)
 912 tcp apex Members scan Port assigned to the APEX (Application Exchange Core) protocol. It is an XML-based protocol designed for sending instant messages based on the Blocks Extensible Exchange Protocol (BEEP).

APEX also uses TCP port 913 as its endpoint-relay service. The APEX protocol has been replaced by the SIP, SIMPLE and XMPP protocols. Port 912 is used primarily to receive and send messages that are originated via the end-points located in port 913. Information sent and received via port 912 includes the endpoint that created it, a URI reference point, the endpoints that will receive it and other options.

RealFlex RealWin is a SCADA server package for medium and small applications designed to control and monitor real-time applications. The RealWin application runs an HMI service on port 912/tcp. This service is vulnerable to two stack-based buffer overflows. One vulnerability is caused by the use of sprintf() in the SCPC_INITIALIZE() and SCPC_INITIALIZE_RF() functions. The second vulnerability is caused by the use of strcpy() in the SCPC_TXTEVENT() function.
References: [CVE-2010-4142], [BID-44150]

Vulnerabilities listed: 100 (some use multiple ports)
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About