Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
Port(s) |
Protocol |
Service |
Scan level |
Description |
12200 |
tcp |
applications |
not scanned |
GNucDNA, Tenebril GhostSurf |
12080 |
tcp |
applications |
Members scan |
Port used by WebShield, Dwyco Video Conferencing, NetworkServer, Delta Three PC to Phone.
Trojan Troj/Agent-E, Win32.Disprox.A also use this port. |
12083 |
tcp |
applications |
not scanned |
Delta Three PC to Phone |
12120 |
udp |
applications |
not scanned |
Delta Three PC to Phone |
12122 |
udp |
applications |
not scanned |
Delta Three PC to Phone |
11000 |
tcp,udp |
applications |
Premium scan |
Port used by Cisco Border Gateway Protocol, Microsoft Visual Studio, .Net Framework, SCInterface, Video Insight Health Monitor.
Games using this port: Everquest Online Adventrures, The Matrix Online, The Matrix Online (TCP), Archlord, Subnautica multiplayer mod Nitrox
Malware using this port: Senna Spy Trojan Generator, DataRape |
9833 |
tcp |
applications |
not scanned |
Telindus router - default port for the 1100 series of Telindus ADSL routers, such as 1110 and 1120. |
8282 |
tcp |
applications |
not scanned |
Y-cam Wireless IP Camera, SAS Server, CS Intranet use this port.
IANA registered for: Libelle EnterpriseBus |
8245 |
tcp |
applications |
not scanned |
No-IP, DynDNS, Y-cam Wireless IP Camera use this port. |
8222 |
tcp |
applications |
not scanned |
VMWare, Y-cam Wireless IP Camera |
8333 |
tcp |
applications |
Premium scan |
Bitcoin cryptocurrency uses port 8333. (Bitcoin Testnet uses 18333 instead)
Common cryptocurrency ports (TCP):
Bitcoin: 8333
Litecoin: 9333
Dash: 9999
Dogecoin: 22556
Ethereum: 30303
VMware Server Management User Interface , Y-cam Wireless IP Camera |
8211 |
tcp |
applications |
not scanned |
Dealing Office Server
Palworld Server
Y-cam Wireless IP Camera
|
8198 |
tcp |
applications |
not scanned |
Sophos Antivirus, Y-cam Wireless IP Camera |
8192 |
tcp,udp |
applications |
not scanned |
Sophos Remote Management System, SnapStream PVS, SpyTech Phone Service, Y-cam Wireless IP Camera use this port. |
8193 |
tcp,udp |
applications |
not scanned |
Sophos Remote Management System, Y-cam Wireless IP Camera |
8194 |
tcp,udp |
applications |
not scanned |
Sophos Remote Management System, Bloomberg data API, Y-cam Wireless IP Camera use this port. |
8182 |
tcp |
applications |
not scanned |
SQL servers
Port is IANA registered for VMware Fault Domain Manager (TCP/UDP). |
8143 |
tcp,udp |
applications |
not scanned |
ImapProxy, SCO SSH Tunneling |
8443 |
tcp |
applications |
Members scan |
Common alternative HTTPS port.
PCSync HTTPS (SSL), SW Soft Plesk Control Panel, Apache Tomcat SSL, iCal service (SSL), Cisco WaaS Central Manager (SSL administration port), Promise WebPAM SSL
Ubiquiti UniFi Controller uses these ports:
8080 tcp - http port for UAP to inform controller
8443 tcp - https port for controller GUI/API
8880 tcp - http portal redirect port (may also use ports 8881, 8882)
8843 tcp - https portal redirect port
3478 udp - STUN port (should be open at firewall)
Cisco WaaS Central Manager standard SSL administration port.
Cisco Spark application (Cisco Webex Teams services) uses these ports:
443, 8443 TCP - signaling
5004 TCP/UDP - media
33434 TCP/UDP - media port
Note: older versions of Cisco Webex Teams services may use these additional ports: 53, 123, 444 TCP and 33434-33598 UDP (SIP calls)
German Health Getwork (aka Gesundheitskarte) "Konnektor" uses ports 8443 and 9443.
Tanium Server, Client and Appliance use these TCP ports: 80, 443, 8443, 17472, 17477
Wyze cameras use these ports:
80, 443 TCP/UDP - timelapse, cloud uploads, streaming data
8443 TCP - cloud api, server connection
123 TCP - time check
10001 TCP - P2P WiFi live streaming
10002 TCP - Firmware updates
22345 TCP - control, used when live streaming
Cyclops Blink Botnet uses these ports. The malware has targeted governments, WatchGuard firewalls, ASUS routers, etc., it is active as of March 2022, and it is believed to be operated by the Sandworm threat group linked to Russian intelligence. Cyclops Blink botnet malware uses the following TCP ports: 636, 989, 990, 992, 994, 995, 3269, 8443
Symantec Endpoint Protection Manager could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error within the SAP XML parser when processing XML data. By sending a specially-crafted request to TCP port 8443, an attacker could exploit this vulnerability to read arbitrary files and obtain sensitive information.
References: [XFDB-91102], [EDB-31853], [EDB-31917]
Symantec Backup Exec System Recovery Manager could allow a remote attacker to upload arbitrary files, caused by an error in the FileUpload Class running on the Symantec LiveState Apache Tomcat server. A remote attacker could exploit this vulnerability using an HTTP POST request over port 8443 (TCP) to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable system with SYSTEM privileges.
References: [XFDB-40260]
VMware Workspace ONE Access and Identity Manager, allow the /cfg web app and diagnostic endpoints, on port 8443, to be accessed via port 443 using a custom host header. A malicious actor with network access to port 443 could tamper with host headers to facilitate access to the /cfg web app, in addition a malicious actor could access /cfg diagnostic endpoints without authentication.
References: [CVE-2021-22002] |
7968 |
tcp,udp |
applications |
not scanned |
Odyssey |
7797 |
tcp |
applications |
not scanned |
Accelerate It, Humboldt Internet Accelerator, Hyperspeed Dialup |
7776 |
tcp |
applications |
Premium scan |
Backdoor.Remocy [Symantec-2003-102217-2215-99] (2003.10.22) - a backdoor trojan horse that gives its creator full control over a computer through a Web browser. The existence of the Inject.dll file is an indication of a possible infection.
Trojans: marlDOOM, PoslDOOM |
7725 |
tcp,udp |
applications |
not scanned |
Nitrogen Service
GunZ
Faronics Deep Freeze (workstation OS protection software) - uses either port 1971 or 7725. |
7654 |
tcp |
applications |
not scanned |
SSH Tunneling |
7234 |
tcp |
applications |
not scanned |
WebSEAL, Knights of the Ruby Order, PokerTH Online, Player Worlds
IANA registered for: Traffic forwarding for Okta cloud |
7144 |
tcp |
applications |
not scanned |
PeerCast, EMC RepliStor, RealAudio
Rep_serv.exe 6.3.1.3 in the server in EMC RepliStor allows remote attackers to cause a denial of service via a crafted packet to TCP port 7144
References: [CVE-2009-3744], [BID-36738] |
7125 |
udp |
applications |
not scanned |
StateMirrorClientToServer, RealAudio |
7099 |
udp |
applications |
not scanned |
City of Heroes, City of Villains, lazy-ptop, RealAudio |
7090 |
udp |
applications |
not scanned |
City of Heroes, City of Villains, RealAudio |
7103 |
udp |
applications |
not scanned |
RealAudio, Dungeon Fighter Online (TCP/UDP) |
7126 |
udp |
applications |
not scanned |
RealAudio |
7127 |
udp |
applications |
not scanned |
RealAudio |
7090 |
tcp |
applications |
not scanned |
Surpass Copycat, EverQuest Launch Pad, Database Voyager (ABLE) |
7007 |
tcp,udp |
applications |
Members scan |
Port used by: Windows Media Player Encoder-to-Server Communication, Skype Session Manager, G3Torrent, X-Men Movieverse, Silent Spy, basic overseer process, City of Heroes, City of Villains, RealAudio.
Trojans that use this port: W32.Spybot.Gen3, Silent Spy
MicroSeven MYM71080i-B 2.0.5 through 2.0.20 devices send admin credentials in cleartext to pnp.microseven.com TCP port 7007. An attacker on the same network as the device can capture these credentials.
References: [CVE-2021-29255] |
6970 |
tcp,udp |
applications |
Members scan |
Port used by Tivoli Software, RTP (Real Time Transport Protocol), RTSP (Real Time Streaming Protocol), BitTorrent, QuickTime 4 server, RealAudio.
Trojans using this port: GateCrasher |
6942 |
tcp |
applications |
not scanned |
BitTorrent, SubEthaEdit text editor |
6900 |
tcp,udp |
applications |
not scanned |
BitTorrent part, Windows Live Messenger, MSN Messenger, Ragnarok Online Server
IANA registered for: R*TIME Viewer Data Interface (TCP) |
6891 |
tcp,udp |
applications |
Premium scan |
BitTorrent, Windows Live Messenger, MSN Messenger
Trojans using this port: Force (6891/tcp only)
aMSN (aka Alvaro's Messenger) allows remote attackers to cause a denial of service (client hang and termination of client's instant-messaging session) by repeatedly sending crafted data to the default file-transfer port (TCP 6891).
References: [CVE-2006-0138] |
6892 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger |
6893 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger |
6894 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger (File transfer) |
6895 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger (File transfer) |
6896 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger (File transfer) |
6897 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger (File transfer) |
6898 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger (File transfer) |
6899 |
tcp,udp |
applications |
not scanned |
BitTorrent, Windows Live Messenger (File transfer) |
6809 |
tcp,udp |
applications |
not scanned |
cman (cluster manager)
Multiple stack-based buffer overflows in FSD 2.052 d9 and earlier, and FSFDT FSD 3.000 d9 and earlier, allow (1) remote attackers to execute arbitrary code via a long HELP command on TCP port 3010 to the sysuser::exechelp function in sysuser.cc and (2) remote authenticated users to execute arbitrary code via long commands on TCP port 6809 to the servinterface::sendmulticast function in servinterface.cc, as demonstrated by a PIcallsign command.
References: [CVE-2007-5256] [BID-25883] [SECUNIA-27008] |
6800 |
tcp |
applications |
not scanned |
Resin server, Resin Watchdog |
6777 |
tcp,udp |
applications |
Premium scan |
BlackSite - Area 51
Trojans using this port: W32.Gaobot, W32/Bagle@MM [Symantec-2004-011815-3332-99]
Backdoor.Win32.IRCBot.gen / Unauthenticated Remote Command Execution - the malware listens on TCP port 6777. Third-party attackers who can reach infected systems can execute commands. Commands must be wrapped in quotes or it will fail.
References: [MVID-2021-0300]
IANA registered for: netTsunami Tracker (TCP) |
6681 |
tcp,udp |
applications |
not scanned |
UPnP, Bittorent, peer-to-peer |
6661 |
tcp |
applications |
Members scan |
Internet Relay Chat
BigAnt IM Sever is vulnerable to a stack-based buffer overflow, caused by improper bounds checking when processing TCP requests by AntServer.exe. By sending a specially-crafted DDNF command containing an overly long string to TCP port 6661, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [XFDB-83351], [EDB-24943]
Trojans using this port: Weia-Meia, TEMan |
6662 |
tcp |
applications |
not scanned |
Internet Relay Chat, Radmind protocol |
6664 |
tcp |
applications |
Members scan |
Internet Relay Chat
W32.Zotob.K trojan [Symantec-2005-082415-0814-99] exploits Windows vulnerabilities on port 445, opens UDP port 69 for TFTP, listens to TCP ports 6664 and 8172. |
12399 |
tcp |
applications |
not scanned |
Multiple buffer overflows in 7-Technologies (7T) Interactive Graphical SCADA System (IGSS) 9.0.0.11355 and earlier allow remote attackers to execute arbitrary code or cause a denial of service via a crafted packet to TCP ports 12397 or 12399.
References: [CVE-2011-4537], [BID-51157] |
12397 |
tcp |
applications |
not scanned |
Multiple buffer overflows in 7-Technologies (7T) Interactive Graphical SCADA System (IGSS) 9.0.0.11355 and earlier allow remote attackers to execute arbitrary code or cause a denial of service via a crafted packet to TCP ports 12397 or 12399.
References: [CVE-2011-4537], [BID-51157]
Directory traversal vulnerability in dc.exe 9.00.00.11059 and earlier in 7-Technologies Interactive Graphical SCADA System (IGSS) allows remote attackers to execute arbitrary programs via ..\ (dot dot backslash) sequences in opcodes (1) 0xa and (2) 0x17 to TCP port 12397.
References: [CVE-2011-1566] [BID-46936] [SECUNIA-43849]
Stack-based buffer overflow in Schneider Electric Interactive Graphical SCADA System (IGSS) 10 and earlier allows remote attackers to execute arbitrary code by sending TCP port-12397 data that does not comply with a protocol.
References: [CVE-2013-0657] |
6595 |
tcp |
applications |
Members scan |
Backdoor.Assasin.C trojan - opens a backdoor on one of the following ports: 5695,6595,6969,27589. Backdoor.Assasin opens port 27589, Backdoor.Assasin.B opens port 6969, Backdoor.Assasin.C opens port 6595, and Backdoor.Assasin.D opens port 5695 to listen for commands from the attacker. |
6436 |
tcp,udp |
applications |
not scanned |
LimeWire Client, Gnutella, PhatBox |
6331 |
udp |
applications |
not scanned |
Windows Live OneCare (WinSs.exe) |
6262 |
tcp,udp |
applications |
not scanned |
Advantage Database Server, Security Manager Plus, Web Callback Standard Protocol, License Server (Poseidon for UML)
Sybase Advantage Server is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the ADS process. By sending specially-crafted packets to UDP port 6262, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server to crash.
References: [XFDB-68250], [OSVDB-73728], [BID-48464], [SECUNIA-45069] |
6080 |
tcp |
applications |
Premium scan |
noVNC uses TCP port 6080 (console URL), TCP ports 80 or 443 (Horizon GUI), and ports 5900+
PSI Webhosting, BridgeChannel
Stack-based buffer overflow in the AntServer module (AntServer.exe) in BigAnt IM Server in BigAnt Messenger 2.2 allows remote attackers to execute arbitrary code via a long URI in a request to TCP port 6080.
References: [CVE-2008-1914], [BID-28795] |
5993 |
tcp,udp |
applications |
not scanned |
Remote Synchronization (GoldSync), Private game server
IANA registered for: DMTF WBEM CIM REST (TCP) |
5864 |
tcp,udp |
applications |
not scanned |
BiblioFile |
5843 |
tcp,udp |
applications |
not scanned |
IIS Admin Service |
5799 |
tcp,udp |
applications |
not scanned |
ECC Server |
5645 |
tcp,udp |
applications |
not scanned |
Voyager Server
Malicious services using this port: IRC-based Botnet |
5667 |
tcp |
applications |
not scanned |
NSCA (Nagios), MOHAA Reverend |
5656 |
tcp |
applications |
not scanned |
MOHAA Reverend
IBM Lotus Sametime p2p file transfer
|
5657 |
tcp |
applications |
not scanned |
MOHAA Reverend |
5658 |
tcp |
applications |
not scanned |
MOHAA Reverend |
5665 |
tcp |
applications |
not scanned |
MOHAA Reverend |
5666 |
tcp |
applications |
Premium scan |
MOHAA Reverend, Nagios NRPE
PC Crasher trojan also uses this port.
SuperDoctor5 - 'NRPE' Remote Code Execution
References: [EDB-47030]
Nagios Remote Plugin Executor (IANA official) |
5577 |
tcp |
applications |
not scanned |
MOHAA Reverend, iSeries Access |
5544 |
tcp |
applications |
Premium scan |
MOHAA Reverend
W32.Zotob trojan/worm also uses this port. |
5522 |
tcp,udp |
applications |
Premium scan |
MOHAA Reverend, Telnet
Malicious services using this port: WinShell Backdoor |
5494 |
tcp,udp |
applications |
not scanned |
MobiControl Deployment server |
5445 |
udp |
applications |
not scanned |
Cisco Unified Video Advantage
ShoreTel IP Telephony system uses the following ports
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag) |
5280 |
tcp,udp |
applications |
not scanned |
Xvnc, Bidirectional-streams Over Synchronous HTTP (BOSH) (TCP)
Extensible Messaging and Presence Protocol (XMPP) also uses this port |
5180 |
tcp |
applications |
Premium scan |
Backdoor.Peeper [Symantec-2003-091918-3229-99] (2003.09.19) - a trojan horse that allows its creator to control an infected computer. By default, it listens on TCP port 5180
Applications that use this port: Netscape, Neverwinter Nights 2
Note: Netscape 7 opens this port on localhost only (could be related to the built-in AIM) |
5110 |
tcp |
applications |
Premium scan |
Applications using this port: ProRat Server
Trojans using this port: BDS/Hupigon.bsw, BDS/Prorat.M.B.38, ProRAT |
5106 |
tcp |
applications |
not scanned |
A-Talk Common connection |
5107 |
tcp |
applications |
not scanned |
A-Talk Remote server connection
Disk to Disk replication (IANA official) |
5021 |
tcp,udp |
applications |
not scanned |
zenginkyo-2, LocationFree |
5017 |
tcp |
applications |
Premium scan |
Applications using this port: Astronomical Image Processing System (AIPS), Ojo (UDP)
Malicious services using this port: Win32-Pakes-AKM, WORM_NUWAR |
5001 |
tcp |
applications |
Members scan |
Yahoo Messenger Chat, Evertech (TCP/UDP), SlingBox (TCP/UDP), commplex-link, Iperf (Tool for measuring TCP and UDP bandwidth performance) (TCP/UDP), Synology Inc. Secured Management Console, File Station (TCP/UDP), Audio Station (TCP/UDP)
Malicious services using this port:
Back Door setup trojan, Sockets des Troie trojan
Ipdsserver.exe in Intermate WinIPDS 3.3 G52-33-021 allows remote attackers to cause a denial of service (CPU consumption) via short packets on TCP port 5001 with the 3, 5, 7, 13, 14, or 15 packet types.
References: [CVE-2008-0791], [BID-27757]
Unspecified vulnerability in HP LoadRunner 9.52 allows remote attackers to execute arbitrary code via network traffic to TCP port 5001 or 5002, related to the HttpTunnel feature.
References: [CVE-2011-0272] [BID-45792] [SECUNIA-42898] [OSVDB-70432]
Xen Mobile through 10.8.0 includes a service listening on port 5001 within its firewall that accepts unauthenticated input. If this service is supplied with raw serialised Java objects, it deserialises them back into Java objects in memory, giving rise to a remote code execution vulnerability. NOTE: the vendor disputes that this is a vulnerability, stating it is "already mitigated by the internal firewall that limits access to configuration services to localhost."
References: [CVE-2018-18013]
In the 3CX Phone System 15.5.3554.1, the Management Console typically listens to port 5001 and is prone to a directory traversal attack: "/api/RecordingList/DownloadRecord?file=" and "/api/SupportInfo?file=" are the vulnerable parameters. An attacker must be authenticated to exploit this issue to access sensitive information to aid in subsequent attacks.
References: [CVE-2017-15359], [EDB-42991]
Forcepoint User ID (FUID) server versions up to 1.2 have a remote arbitrary file upload vulnerability on TCP port 5001. Successful exploitation of this vulnerability may lead to remote code execution. To fix this vulnerability, upgrade to FUID version 1.3 or higher. To prevent the vulnerability on FUID versions 1.2 and below, apply local firewall rules on the FUID server to disable all external access to port TCP/5001. FUID requires this port only for local connections through the loopback interface.
References: [CVE-2019-6139]
A conference management system of ZTE is impacted by a command execution vulnerability. Since the soapmonitor's java object service is enabled by default, the attacker could exploit this vulnerability to execute arbitrary commands by sending a deserialized payload to port 5001.
References: [CVE-2021-21741]
The Motorola MOSCAD and ACE line of RTUs through 2022-05-02 omit an authentication requirement. They feature IP Gateway modules which allow for interfacing between Motorola Data Link Communication (MDLC) networks (potentially over a variety of serial, RF and/or Ethernet links) and TCP/IP networks. Communication with RTUs behind the gateway is done by means of the proprietary IPGW protocol (5001/TCP). This protocol does not have any authentication features, allowing any attacker capable of communicating with the port in question to invoke (a subset of) desired functionality.
References: [CVE-2022-30276] |
4890 |
tcp,udp |
applications |
Premium scan |
Malicious Services: W32/ Stration (worm)
Applications: Linux Gateway |
4833 |
tcp,udp |
applications |
not scanned |
James, Novell |
4811 |
tcp,udp |
applications |
not scanned |
TimeTracker |
4797 |
tcp,udp |
applications |
not scanned |
Integrated Process Server, ProFTPD |
4795 |
tcp,udp |
applications |
not scanned |
DB2, Limewire |
4783 |
tcp,udp |
applications |
not scanned |
Windows Socket Control, Backup Exec |
4774 |
tcp,udp |
applications |
not scanned |
Amcheck, aMule
IANA registered for: Converge RPC (TCP) |
4747 |
tcp |
applications |
not scanned |
Apprentice, Azureus, Glassfish, AppletView |
4726 |
tcp,udp |
applications |
not scanned |
Port Reporter, Mbone |
4627 |
tcp,udp |
applications |
Premium scan |
Applications: QualiSystems TestShell Suite Services
Lala backdoor [Symantec-2002-122014-1523-99] - a trojan horse that allows unauthorized access to a compromised computer. The Trojan attempts to steal confidential information (such as cached passwords and cookies), log keystrokes, and allow for remote file execution. Opens TCP/UDP port 4627, 1149, or 1877 to allow remote access. |
4525 |
tcp,udp |
applications |
not scanned |
Java, postfix SMTP |
3002 |
tcp |
applications |
not scanned |
The web100 NDT (Network Diagnostic Tool) server uses ports 3001, 3002, and 3003 tcp to communicate with the Java applet on the client's desktop. NDT also uses port 7123/tcp.
Miralix CSTA
IANA registered for: EXLM Agent (TCP/UDP) |
3003 |
tcp |
applications |
not scanned |
The web100 NDT (Network Diagnostic Tool) server uses ports 3001, 3002, and 3003 tcp to communicate with the Java applet on the client's desktop. NDT also uses port 7123/tcp.
Miralix GreenBox API
Viewgate Classic DVR also uses port 3003 (TCP/UDP)
IANA registered for: CGMS (TCP/UDP) |
51210 |
tcp |
applications |
not scanned |
Dialpad |
1584 |
tcp |
applications |
not scanned |
Dialpad |
1585 |
tcp |
applications |
not scanned |
Dialpad |
Vulnerabilities listed: 100 (some use multiple ports)
|