The Broadband Guide
SG
search advanced

Vulnerable Ports

This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats. We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please . Any feedback and suggestions can also be posted to our Security forum.

 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |....| 54 
Port(s) Protocol Service Scan level Description
 12200 tcp applications not scanned GNucDNA, Tenebril GhostSurf
 12080 tcp applications Members scan Port used by WebShield, Dwyco Video Conferencing, NetworkServer, Delta Three PC to Phone.

Trojan Troj/Agent-E, Win32.Disprox.A also use this port.
 12083 tcp applications not scanned Delta Three PC to Phone
 12120 udp applications not scanned Delta Three PC to Phone
 12122 udp applications not scanned Delta Three PC to Phone
 11000 tcp,udp applications Premium scan Port used by Cisco Border Gateway Protocol, Microsoft Visual Studio, .Net Framework, SCInterface, Video Insight Health Monitor.

Games using this port: Everquest Online Adventrures, The Matrix Online, The Matrix Online (TCP), Archlord, Subnautica multiplayer mod Nitrox

Malware using this port: Senna Spy Trojan Generator, DataRape
 9833 tcp applications not scanned Telindus router - default port for the 1100 series of Telindus ADSL routers, such as 1110 and 1120.
 8282 tcp applications not scanned Y-cam Wireless IP Camera, SAS Server, CS Intranet use this port.

IANA registered for: Libelle EnterpriseBus
 8245 tcp applications not scanned No-IP, DynDNS, Y-cam Wireless IP Camera use this port.
 8222 tcp applications not scanned VMWare, Y-cam Wireless IP Camera
 8333 tcp applications Premium scan Bitcoin cryptocurrency uses port 8333. (Bitcoin Testnet uses 18333 instead)
Common cryptocurrency ports (TCP):
Bitcoin: 8333
Litecoin: 9333
Dash: 9999
Dogecoin: 22556
Ethereum: 30303


VMware Server Management User Interface , Y-cam Wireless IP Camera
 8211 tcp applications not scanned Dealing Office Server
Palworld Server
Y-cam Wireless IP Camera
 8198 tcp applications not scanned Sophos Antivirus, Y-cam Wireless IP Camera
 8192 tcp,udp applications not scanned Sophos Remote Management System, SnapStream PVS, SpyTech Phone Service, Y-cam Wireless IP Camera use this port.
 8193 tcp,udp applications not scanned Sophos Remote Management System, Y-cam Wireless IP Camera
 8194 tcp,udp applications not scanned Sophos Remote Management System, Bloomberg data API, Y-cam Wireless IP Camera use this port.
 8182 tcp applications not scanned SQL servers

Port is IANA registered for VMware Fault Domain Manager (TCP/UDP).
 8143 tcp,udp applications not scanned ImapProxy, SCO SSH Tunneling
 8443 tcp applications Members scan Common alternative HTTPS port.

PCSync HTTPS (SSL), SW Soft Plesk Control Panel, Apache Tomcat SSL, iCal service (SSL), Cisco WaaS Central Manager (SSL administration port), Promise WebPAM SSL

Ubiquiti UniFi Controller uses these ports:
8080 tcp - http port for UAP to inform controller
8443 tcp - https port for controller GUI/API
8880 tcp - http portal redirect port (may also use ports 8881, 8882)
8843 tcp - https portal redirect port
3478 udp - STUN port (should be open at firewall)

Cisco WaaS Central Manager standard SSL administration port.

Cisco Spark application (Cisco Webex Teams services) uses these ports:
443, 8443 TCP - signaling
5004 TCP/UDP - media
33434 TCP/UDP - media port
Note: older versions of Cisco Webex Teams services may use these additional ports: 53, 123, 444 TCP and 33434-33598 UDP (SIP calls)

German Health Getwork (aka Gesundheitskarte) "Konnektor" uses ports 8443 and 9443.

Tanium Server, Client and Appliance use these TCP ports: 80, 443, 8443, 17472, 17477

Wyze cameras use these ports:
80, 443 TCP/UDP - timelapse, cloud uploads, streaming data
8443 TCP - cloud api, server connection
123 TCP - time check
10001 TCP - P2P WiFi live streaming
10002 TCP - Firmware updates
22345 TCP - control, used when live streaming


Cyclops Blink Botnet uses these ports. The malware has targeted governments, WatchGuard firewalls, ASUS routers, etc., it is active as of March 2022, and it is believed to be operated by the Sandworm threat group linked to Russian intelligence. Cyclops Blink botnet malware uses the following TCP ports: 636, 989, 990, 992, 994, 995, 3269, 8443

Symantec Endpoint Protection Manager could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error within the SAP XML parser when processing XML data. By sending a specially-crafted request to TCP port 8443, an attacker could exploit this vulnerability to read arbitrary files and obtain sensitive information.
References: [XFDB-91102], [EDB-31853], [EDB-31917]

Symantec Backup Exec System Recovery Manager could allow a remote attacker to upload arbitrary files, caused by an error in the FileUpload Class running on the Symantec LiveState Apache Tomcat server. A remote attacker could exploit this vulnerability using an HTTP POST request over port 8443 (TCP) to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable system with SYSTEM privileges.
References: [XFDB-40260]

VMware Workspace ONE Access and Identity Manager, allow the /cfg web app and diagnostic endpoints, on port 8443, to be accessed via port 443 using a custom host header. A malicious actor with network access to port 443 could tamper with host headers to facilitate access to the /cfg web app, in addition a malicious actor could access /cfg diagnostic endpoints without authentication.
References: [CVE-2021-22002]
 7968 tcp,udp applications not scanned Odyssey
 7797 tcp applications not scanned Accelerate It, Humboldt Internet Accelerator, Hyperspeed Dialup
 7776 tcp applications Premium scan Backdoor.Remocy [Symantec-2003-102217-2215-99] (2003.10.22) - a backdoor trojan horse that gives its creator full control over a computer through a Web browser. The existence of the Inject.dll file is an indication of a possible infection.

Trojans: marlDOOM, PoslDOOM
 7725 tcp,udp applications not scanned Nitrogen Service
GunZ
Faronics Deep Freeze (workstation OS protection software) - uses either port 1971 or 7725.
 7654 tcp applications not scanned SSH Tunneling
 7234 tcp applications not scanned WebSEAL, Knights of the Ruby Order, PokerTH Online, Player Worlds

IANA registered for: Traffic forwarding for Okta cloud
 7144 tcp applications not scanned PeerCast, EMC RepliStor, RealAudio

Rep_serv.exe 6.3.1.3 in the server in EMC RepliStor allows remote attackers to cause a denial of service via a crafted packet to TCP port 7144
References: [CVE-2009-3744], [BID-36738]
 7125 udp applications not scanned StateMirrorClientToServer, RealAudio
 7099 udp applications not scanned City of Heroes, City of Villains, lazy-ptop, RealAudio
 7090 udp applications not scanned City of Heroes, City of Villains, RealAudio
 7103 udp applications not scanned RealAudio, Dungeon Fighter Online (TCP/UDP)
 7126 udp applications not scanned RealAudio
 7127 udp applications not scanned RealAudio
 7090 tcp applications not scanned Surpass Copycat, EverQuest Launch Pad, Database Voyager (ABLE)
 7007 tcp,udp applications Members scan Port used by: Windows Media Player Encoder-to-Server Communication, Skype Session Manager, G3Torrent, X-Men Movieverse, Silent Spy, basic overseer process, City of Heroes, City of Villains, RealAudio.

Trojans that use this port: W32.Spybot.Gen3, Silent Spy

MicroSeven MYM71080i-B 2.0.5 through 2.0.20 devices send admin credentials in cleartext to pnp.microseven.com TCP port 7007. An attacker on the same network as the device can capture these credentials.
References: [CVE-2021-29255]
 6970 tcp,udp applications Members scan Port used by Tivoli Software, RTP (Real Time Transport Protocol), RTSP (Real Time Streaming Protocol), BitTorrent, QuickTime 4 server, RealAudio.

Trojans using this port: GateCrasher
 6942 tcp applications not scanned BitTorrent, SubEthaEdit text editor
 6900 tcp,udp applications not scanned BitTorrent part, Windows Live Messenger, MSN Messenger, Ragnarok Online Server

IANA registered for: R*TIME Viewer Data Interface (TCP)
 6891 tcp,udp applications Premium scan BitTorrent, Windows Live Messenger, MSN Messenger

Trojans using this port: Force (6891/tcp only)

aMSN (aka Alvaro's Messenger) allows remote attackers to cause a denial of service (client hang and termination of client's instant-messaging session) by repeatedly sending crafted data to the default file-transfer port (TCP 6891).
References: [CVE-2006-0138]
 6892 tcp,udp applications not scanned BitTorrent, Windows Live Messenger
 6893 tcp,udp applications not scanned BitTorrent, Windows Live Messenger
 6894 tcp,udp applications not scanned BitTorrent, Windows Live Messenger (File transfer)
 6895 tcp,udp applications not scanned BitTorrent, Windows Live Messenger (File transfer)
 6896 tcp,udp applications not scanned BitTorrent, Windows Live Messenger (File transfer)
 6897 tcp,udp applications not scanned BitTorrent, Windows Live Messenger (File transfer)
 6898 tcp,udp applications not scanned BitTorrent, Windows Live Messenger (File transfer)
 6899 tcp,udp applications not scanned BitTorrent, Windows Live Messenger (File transfer)
 6809 tcp,udp applications not scanned cman (cluster manager)

Multiple stack-based buffer overflows in FSD 2.052 d9 and earlier, and FSFDT FSD 3.000 d9 and earlier, allow (1) remote attackers to execute arbitrary code via a long HELP command on TCP port 3010 to the sysuser::exechelp function in sysuser.cc and (2) remote authenticated users to execute arbitrary code via long commands on TCP port 6809 to the servinterface::sendmulticast function in servinterface.cc, as demonstrated by a PIcallsign command.
References: [CVE-2007-5256] [BID-25883] [SECUNIA-27008]
 6800 tcp applications not scanned Resin server, Resin Watchdog
 6777 tcp,udp applications Premium scan BlackSite - Area 51

Trojans using this port: W32.Gaobot, W32/Bagle@MM [Symantec-2004-011815-3332-99]

Backdoor.Win32.IRCBot.gen / Unauthenticated Remote Command Execution - the malware listens on TCP port 6777. Third-party attackers who can reach infected systems can execute commands. Commands must be wrapped in quotes or it will fail.
References: [MVID-2021-0300]

IANA registered for: netTsunami Tracker (TCP)
 6681 tcp,udp applications not scanned UPnP, Bittorent, peer-to-peer
 6661 tcp applications Members scan Internet Relay Chat

BigAnt IM Sever is vulnerable to a stack-based buffer overflow, caused by improper bounds checking when processing TCP requests by AntServer.exe. By sending a specially-crafted DDNF command containing an overly long string to TCP port 6661, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [XFDB-83351], [EDB-24943]

Trojans using this port: Weia-Meia, TEMan
 6662 tcp applications not scanned Internet Relay Chat, Radmind protocol
 6664 tcp applications Members scan Internet Relay Chat

W32.Zotob.K trojan [Symantec-2005-082415-0814-99] exploits Windows vulnerabilities on port 445, opens UDP port 69 for TFTP, listens to TCP ports 6664 and 8172.
 12399 tcp applications not scanned Multiple buffer overflows in 7-Technologies (7T) Interactive Graphical SCADA System (IGSS) 9.0.0.11355 and earlier allow remote attackers to execute arbitrary code or cause a denial of service via a crafted packet to TCP ports 12397 or 12399.
References: [CVE-2011-4537], [BID-51157]
 12397 tcp applications not scanned Multiple buffer overflows in 7-Technologies (7T) Interactive Graphical SCADA System (IGSS) 9.0.0.11355 and earlier allow remote attackers to execute arbitrary code or cause a denial of service via a crafted packet to TCP ports 12397 or 12399.
References: [CVE-2011-4537], [BID-51157]

Directory traversal vulnerability in dc.exe 9.00.00.11059 and earlier in 7-Technologies Interactive Graphical SCADA System (IGSS) allows remote attackers to execute arbitrary programs via ..\ (dot dot backslash) sequences in opcodes (1) 0xa and (2) 0x17 to TCP port 12397.
References: [CVE-2011-1566] [BID-46936] [SECUNIA-43849]

Stack-based buffer overflow in Schneider Electric Interactive Graphical SCADA System (IGSS) 10 and earlier allows remote attackers to execute arbitrary code by sending TCP port-12397 data that does not comply with a protocol.
References: [CVE-2013-0657]
 6595 tcp applications Members scan Backdoor.Assasin.C trojan - opens a backdoor on one of the following ports: 5695,6595,6969,27589. Backdoor.Assasin opens port 27589, Backdoor.Assasin.B opens port 6969, Backdoor.Assasin.C opens port 6595, and Backdoor.Assasin.D opens port 5695 to listen for commands from the attacker.
 6436 tcp,udp applications not scanned LimeWire Client, Gnutella, PhatBox
 6331 udp applications not scanned Windows Live OneCare (WinSs.exe)
 6262 tcp,udp applications not scanned Advantage Database Server, Security Manager Plus, Web Callback Standard Protocol, License Server (Poseidon for UML)

Sybase Advantage Server is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the ADS process. By sending specially-crafted packets to UDP port 6262, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server to crash.
References: [XFDB-68250], [OSVDB-73728], [BID-48464], [SECUNIA-45069]
 6080 tcp applications Premium scan noVNC uses TCP port 6080 (console URL), TCP ports 80 or 443 (Horizon GUI), and ports 5900+

PSI Webhosting, BridgeChannel

Stack-based buffer overflow in the AntServer module (AntServer.exe) in BigAnt IM Server in BigAnt Messenger 2.2 allows remote attackers to execute arbitrary code via a long URI in a request to TCP port 6080.
References: [CVE-2008-1914], [BID-28795]
 5993 tcp,udp applications not scanned Remote Synchronization (GoldSync), Private game server

IANA registered for: DMTF WBEM CIM REST (TCP)
 5864 tcp,udp applications not scanned BiblioFile
 5843 tcp,udp applications not scanned IIS Admin Service
 5799 tcp,udp applications not scanned ECC Server
 5645 tcp,udp applications not scanned Voyager Server
Malicious services using this port: IRC-based Botnet
 5667 tcp applications not scanned NSCA (Nagios), MOHAA Reverend
 5656 tcp applications not scanned MOHAA Reverend

IBM Lotus Sametime p2p file transfer
 5657 tcp applications not scanned MOHAA Reverend
 5658 tcp applications not scanned MOHAA Reverend
 5665 tcp applications not scanned MOHAA Reverend
 5666 tcp applications Premium scan MOHAA Reverend, Nagios NRPE

PC Crasher trojan also uses this port.

SuperDoctor5 - 'NRPE' Remote Code Execution
References: [EDB-47030]

Nagios Remote Plugin Executor (IANA official)
 5577 tcp applications not scanned MOHAA Reverend, iSeries Access
 5544 tcp applications Premium scan MOHAA Reverend

W32.Zotob trojan/worm also uses this port.
 5522 tcp,udp applications Premium scan MOHAA Reverend, Telnet
Malicious services using this port: WinShell Backdoor
 5494 tcp,udp applications not scanned MobiControl Deployment server
 5445 udp applications not scanned Cisco Unified Video Advantage

ShoreTel IP Telephony system uses the following ports
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag)
 5280 tcp,udp applications not scanned Xvnc, Bidirectional-streams Over Synchronous HTTP (BOSH) (TCP)
Extensible Messaging and Presence Protocol (XMPP) also uses this port
 5180 tcp applications Premium scan Backdoor.Peeper [Symantec-2003-091918-3229-99] (2003.09.19) - a trojan horse that allows its creator to control an infected computer. By default, it listens on TCP port 5180

Applications that use this port: Netscape, Neverwinter Nights 2
Note: Netscape 7 opens this port on localhost only (could be related to the built-in AIM)
 5110 tcp applications Premium scan Applications using this port: ProRat Server

Trojans using this port: BDS/Hupigon.bsw, BDS/Prorat.M.B.38, ProRAT
 5106 tcp applications not scanned A-Talk Common connection
 5107 tcp applications not scanned A-Talk Remote server connection

Disk to Disk replication (IANA official)
 5021 tcp,udp applications not scanned zenginkyo-2, LocationFree
 5017 tcp applications Premium scan Applications using this port: Astronomical Image Processing System (AIPS), Ojo (UDP)

Malicious services using this port: Win32-Pakes-AKM, WORM_NUWAR
 5001 tcp applications Members scan Yahoo Messenger Chat, Evertech (TCP/UDP), SlingBox (TCP/UDP), commplex-link, Iperf (Tool for measuring TCP and UDP bandwidth performance) (TCP/UDP), Synology Inc. Secured Management Console, File Station (TCP/UDP), Audio Station (TCP/UDP)

Malicious services using this port:
Back Door setup trojan, Sockets des Troie trojan

Ipdsserver.exe in Intermate WinIPDS 3.3 G52-33-021 allows remote attackers to cause a denial of service (CPU consumption) via short packets on TCP port 5001 with the 3, 5, 7, 13, 14, or 15 packet types.
References: [CVE-2008-0791], [BID-27757]

Unspecified vulnerability in HP LoadRunner 9.52 allows remote attackers to execute arbitrary code via network traffic to TCP port 5001 or 5002, related to the HttpTunnel feature.
References: [CVE-2011-0272] [BID-45792] [SECUNIA-42898] [OSVDB-70432]

Xen Mobile through 10.8.0 includes a service listening on port 5001 within its firewall that accepts unauthenticated input. If this service is supplied with raw serialised Java objects, it deserialises them back into Java objects in memory, giving rise to a remote code execution vulnerability. NOTE: the vendor disputes that this is a vulnerability, stating it is "already mitigated by the internal firewall that limits access to configuration services to localhost."
References: [CVE-2018-18013]

In the 3CX Phone System 15.5.3554.1, the Management Console typically listens to port 5001 and is prone to a directory traversal attack: "/api/RecordingList/DownloadRecord?file=" and "/api/SupportInfo?file=" are the vulnerable parameters. An attacker must be authenticated to exploit this issue to access sensitive information to aid in subsequent attacks.
References: [CVE-2017-15359], [EDB-42991]

Forcepoint User ID (FUID) server versions up to 1.2 have a remote arbitrary file upload vulnerability on TCP port 5001. Successful exploitation of this vulnerability may lead to remote code execution. To fix this vulnerability, upgrade to FUID version 1.3 or higher. To prevent the vulnerability on FUID versions 1.2 and below, apply local firewall rules on the FUID server to disable all external access to port TCP/5001. FUID requires this port only for local connections through the loopback interface.
References: [CVE-2019-6139]

A conference management system of ZTE is impacted by a command execution vulnerability. Since the soapmonitor's java object service is enabled by default, the attacker could exploit this vulnerability to execute arbitrary commands by sending a deserialized payload to port 5001.
References: [CVE-2021-21741]

The Motorola MOSCAD and ACE line of RTUs through 2022-05-02 omit an authentication requirement. They feature IP Gateway modules which allow for interfacing between Motorola Data Link Communication (MDLC) networks (potentially over a variety of serial, RF and/or Ethernet links) and TCP/IP networks. Communication with RTUs behind the gateway is done by means of the proprietary IPGW protocol (5001/TCP). This protocol does not have any authentication features, allowing any attacker capable of communicating with the port in question to invoke (a subset of) desired functionality.
References: [CVE-2022-30276]
 4890 tcp,udp applications Premium scan Malicious Services: W32/ Stration (worm)

Applications: Linux Gateway
 4833 tcp,udp applications not scanned James, Novell
 4811 tcp,udp applications not scanned TimeTracker
 4797 tcp,udp applications not scanned Integrated Process Server, ProFTPD
 4795 tcp,udp applications not scanned DB2, Limewire
 4783 tcp,udp applications not scanned Windows Socket Control, Backup Exec
 4774 tcp,udp applications not scanned Amcheck, aMule

IANA registered for: Converge RPC (TCP)
 4747 tcp applications not scanned Apprentice, Azureus, Glassfish, AppletView
 4726 tcp,udp applications not scanned Port Reporter, Mbone
 4627 tcp,udp applications Premium scan Applications: QualiSystems TestShell Suite Services

Lala backdoor [Symantec-2002-122014-1523-99] - a trojan horse that allows unauthorized access to a compromised computer. The Trojan attempts to steal confidential information (such as cached passwords and cookies), log keystrokes, and allow for remote file execution. Opens TCP/UDP port 4627, 1149, or 1877 to allow remote access.
 4525 tcp,udp applications not scanned Java, postfix SMTP
 3002 tcp applications not scanned The web100 NDT (Network Diagnostic Tool) server uses ports 3001, 3002, and 3003 tcp to communicate with the Java applet on the client's desktop. NDT also uses port 7123/tcp.

Miralix CSTA

IANA registered for: EXLM Agent (TCP/UDP)
 3003 tcp applications not scanned The web100 NDT (Network Diagnostic Tool) server uses ports 3001, 3002, and 3003 tcp to communicate with the Java applet on the client's desktop. NDT also uses port 7123/tcp.

Miralix GreenBox API
Viewgate Classic DVR also uses port 3003 (TCP/UDP)

IANA registered for: CGMS (TCP/UDP)
 51210 tcp applications not scanned Dialpad
 1584 tcp applications not scanned Dialpad
 1585 tcp applications not scanned Dialpad

Vulnerabilities listed: 100 (some use multiple ports)
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About