The Broadband Guide
SG
search advanced
 Username:
 Password:
Register
 forgot password?

Vulnerable Ports

This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats. We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please . Any feedback and suggestions can also be posted to our Security forum.

 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |....| 43 
Port(s) Protocol Service Scan level Description
 530 tcp trojan Premium scan W32.kibuv.worm
 531 tcp chat Premium scan Port used by IRC chat

Trojans using this port: Rasmin, Net666
 535 udp CORBA IIOP Premium scan Common Object Request Broker Architecture (CORBA) is an object-oriented remote procedure call (RPC) system. If you are on a cable-modem or DSL VLAN, then you may see broadcasts to this port. CORBA broadcasts send out information that can often be used to hack back into the systems generating these broadcasts.
 540 tcp uucp Members scan a famous file transfer service, potential vulnerability.
 541 tcp,udp uucp-rlogin not scanned Fortinet FortiGate and FortiWiFi 4.00.6 and possibly earlier versions are susceptible to man-in-the-middle attacks (CWE-300) and a heap-based overflow vulnerability (CWE-122). The vulnerabilities exist in the FortiManager service running on TCP port 541.
References: [CVE-2014-2216], [CVE-2014-0351]

IANA registered for: uucp-rlogin
 543 tcp klogin not scanned Kerberos login
Related ports: 88,464,544,749,751
 544 tcp kshell not scanned Kerberos remote shell
Related ports: 88,464,543,749,751

A vulnerability has been reported in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to TCP connection information not being properly validated when connecting to a protocol translation resource and can be exploited to cause a reload via specially crafted packets sent to TCP ports 514 or 544. Successful exploitation requires a vulnerable protocol translation configuration or a Telnet-to-PAD protocol translation ruleset to be configured.
References: [CVE-2013-1147] [SECUNIA-52785]
 545 tcp aspentech not scanned AspenTech Cim-IO uses this port for their industrial communications (process historian). PI 3 server uses port 5450 and PI 2 server uses port 545.
 546 tcp,udp DHCP Premium scan DHCP(v6) Client
 547 tcp,udp DHCP Premium scan DHCP(v6) Server
 548 tcp afpovertcp not scanned AppleShare, Personal File Sharing, Apple File Service

ExtremeZ-IP.exe in ExtremeZ-IP File and Print Server 5.1.2x15 and earlier allows remote attackers to cause a denial of service (daemon crash) via an invalid UAM field in a request to the Apple Filing Protocol (AFP) service on TCP port 548.
References: [CVE-2008-0759], [BID-27718]

Novell Netware is vulnerable to a denial of service, caused by a NULL pointer dereference in the AFPTCP.nlm module. By sending a specially-crafted AFP request to TCP port 548, a remote attacker could exploit this vulnerability to cause the application to crash.
References: [CVE-2010-0317], [XFDB-55389], [BID-37616], [OSVDB-61604]
 551 tcp,udp cybercash not scanned cybercash [Donald E Eastlake] [RFC 1898] (IANA official)
 554 tcp ms-rtsp Members scan Port used by Real Time Streaming Protocol (RTSP) for Microsoft Windows Media streaming services and QuickTime Streaming Server (QTSS).

RTSP uses the following ports:
554 TCP - used for accepting incoming RTSP client connections and for delivering data packets to clients that are streaming by using RTSPT.
5004 UDP - used for delivering data packets to clients that are streaming by using RTSPU.
5005 UDP - used for receiving packet loss information from clients and providing synchronization information to clients that are streaming by using RTSPU.

Multiple Vivotek IP Camera products could allow a remote attacker to bypass security restrictions, caused by the improper validation of input. If RTSP authentication is set to basic, an attacker could send a specially-crafted request to TCP port 554 in order to bypass authentication and gain access to the RTSP live video stream.
References: [CVE-2013-4985] [XFDB-88567] [EDB-29516]

Multiple Vivotek IP Cameras products could allow a remote attacker to bypass security restrictions, caused by the failure to restrict access to the video stream. By sending specially-crafted RTSP packets to TCP port 554, an attacker could exploit this vulnerability to access the video stream without authentication.
References: [CVE-2013-1596] [XFDB-83945] [BID-59574]

See also: port 1755 - Microsoft Media Server (MMS) protocol
 555 tcp dsf Members scan Trojans that use this port: 711 trojan (Seven Eleven), Ini-Killer, Net Administrator (NeTadmin), Phase Zero, Stealth Spy

Stack-based buffer overflow in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 555.
References: [CVE-2012-1830]

Siklu EtherHaul could allow a remote attacker to execute arbitrary commands on the system. By connecting to port 555 via telnet, an attacker could exploit this vulnerability to execute arbitrary commands on the system and obtain sensitive information.
References: [CVE-2017-7318], [XFDB-122267]
 559 tcp trojans Premium scan Port used by Domwis remote access trojan. Creates a backdoor and spam proxy on port 559.

Backdoor.Solufina also uses this port.
 563 tcp,udp applications not scanned NNTP protocol over TLS/SSL (NNTPS)
 564 tcp trojan Premium scan Oracle
 569 udp games not scanned Delta Force II
 587 tcp smtp Basic scan Outgoing SMTP Mail port (TLS/Start TLS Port)
Used by various outgoing mail servers as an alternative to port 25.
Yahoo SMTP server uses this port, Apple MobileMe Mail (SMTP authentication), Gmail.
See [RFC2476]
 589 tcp trojan Premium scan Assasin trojan
 591 tcp,udp http-alt not scanned FileMaker, Inc. - HTTP Alternate
 593 tcp Members scan MS Security Bulletin [MS03-026] outlines a critical Buffer Overrun RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.
 600 tcp trojan Premium scan SweetHeart, Sadmind
 601 tcp,udp syslog-conn not scanned Reliable Syslog Service (IANA official) [RFC 3195]
 602 tcp,udp xmlrpc-beep not scanned XML-RPC over BEEP (IANA official) [RFC 3529]
 603 tcp,udp idxp not scanned IDXP (IANA official) [RFC 4767]
 604 tcp,udp tunnel not scanned TUNNEL (IANA official) [RFC 3620]
 605 tcp trojan Premium scan Secret Service Trojan

SOAP over BEEP [RFC 3288] (IANA official)
 606 tcp trojan Premium scan Secret Service trojan horse
 607 tcp games not scanned Operation Flashpoint, Railroad Tycoon 3
 608 udp sift-uft not scanned Directory traversal vulnerability in eFileGo 3.01 allows remote attackers to execute arbitrary code, read arbitrary files, and upload arbitrary files via a ... (triple dot) in (1) the URL on port 608 and (2) the argument to upload.exe.
References: [CVE-2005-4622] [BID-16124] [OSVDB-22151] [SECUNIA-18279]

Sender-Initiated/Unsolicited File Transfer (IANA official)
 620 tcp,udp games not scanned Dark and Light
 622 tcp games not scanned Dark Ages of Camelot
 623 tcp trojan Premium scan RTB 666

Stack-based buffer overflow in the DPC Proxy server (DpcProxy.exe) in ASUS Remote Console (a.k.a. ARC or ASMB3) 2.0.0.19 and 2.0.0.24 allows remote attackers to execute arbitrary code via a long string to TCP port 623.
References: [CVE-2008-1491], [BID-28394]

Port is also IANA registered for DMTF out-of-band web services management protocol.
 623 udp ipmi Premium scan Port is used by IMPI and BMC management systems. HP, Dell, and SuperMicro IPMI 1.5 and 2.0 protocols, Intel Xserves Lights-Out-Monitoring (LOM) feature all use this port.

IPMI-based systems have a number of possible attack vectors, such as cleartext passwords, even anonymous access via impitool command to reset the password of any other user without authentication. IPMI 2.0 systems share the (SHA1 or MD5) password hash with unauthenticated clients, allowing for offline cracking. IPMI systems also store user passwords in cleartext, so a single compromised user can be used to trivially obtain even the strongest passwords for other accounts. SuperMicro BMCs are vulnerable to an additional overflow exploit in their UPnP SSDP service (UDP 1900) that will grant root access to the BMC.

See: [CVE-2013-4786], [CVE-2013-4038], [CVE-2013-4037], [CVE-2013-4031]

Cisco Unified Computing System is vulnerable to a buffer overflow, caused by improper bounds checking by the Intelligent Platform Management Interface (IPMI) implementation. By sending a specially-crafted request to UDP port 623, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2013-1183] [XFDB-83771] [BID-59453]
 624 tcp games not scanned Operation Flashpoint
 625 tcp dsproxy not scanned DirectoryService, Open Directory Assistant, Workgroup Manager.

Port is IANA registered for DEC DLM.
 626 tcp applications not scanned Apple IMAP Administration (Mac OS X Server 10.2.8 or earlier, AppleShare IP 6)
 629 tcp,udp ipcserver not scanned Mac OS X RPC-based services like NetInfo use this port.

Port is also IANA registered for 3Com AMP3
 631 tcp ipp not scanned Mac OS X Printer Sharing

Unknown vulnerability in the Internet Printing Protocol (IPP) implementation in CUPS before 1.1.19 allows remote attackers to cause a denial of service (CPU consumption from a "busy loop") via certain inputs to the IPP port (TCP 631).
References: [CVE-2003-0788] [BID-8952] [SECUNIA-10123]
 631 udp applications not scanned Double free vulnerability in the process_browse_data function in CUPS 1.3.5 allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via crafted UDP Browse packets to the cupsd port (631/udp), related to an unspecified manipulation of a remote printer. References: [CVE-2008-0882], [BID-27906], [SECUNIA-28994]

The Internet Printing Protocol (IPP) implementation in CUPS before 1.1.21 allows remote attackers to cause a denial of service (service hang) via a certain UDP packet to the IPP port. This can be exploited by sending an empty UDP datagram to port 631, which can cause cupsd to stop listening on that port.
References: [CVE-2004-0558] [SECUNIA-12556]

Port also IANA registered for IPP (Internet Printing Protocol)
 635 tcp,udp NFS mount Members scan RPC Remote filesystem access mount service - a very popular attack vector, often scanned for. Most scans on this port are UDP-based, but they are increasingly TCP-based (mountd runs on both ports simultaneously). Note that mountd can run at any port (for which you must first do a portmap lookup at port 111), it's just that Linux defaulted to port 635 in much the same way that NFS universally runs at port 2049.

ADM worm also uses this port (TCP).
 636 tcp ldaps not scanned LDAPS - Lightweight Directory Access Protocol over TLS/SSL

Novell eDirectory and Netware are vulnerable to a denial of service, caused by the improper allocation of memory by the LDAP_SSL daemon. A remote attacker could exploit this vulnerability to cause a system-wide denial of service (over/on/using) port 636 TCP.
References: [XFDB-67468], [EDB-17298]
 639 tcp,udp msdp not scanned MSDP - Multicast Source Discovery Protocol
 641 tcp,udp proxy not scanned SupportSoft Nexus Remote Command (control/listening): A proxy gateway connecting remote control traffic
 650 tcp trojan Premium scan Assasin
 650 udp games not scanned Black and White
 653 tcp,udp proxy not scanned SupportSoft Nexus Remote Command (data): A proxy gateway connecting remote control traffic
 654 tcp trojans Premium scan Official use by AODV (Ad-hoc On-demand Distance Vector)
Port also used by HoaVelu trojan
 660 tcp,udp mac-srvr-admin not scanned Mac OS X Server administration

Zaratustra trojan also uses this port (TCP).

Buffer overflow in the GUI admin service in Mac OS X Server 10.3 allows remote attackers to cause a denial of service (crash and restart) via a large amount of data to TCP port 660.
References: [CVE-2004-1832], [BID-9914]
 661 tcp trojan Premium scan NokNok trojan
 665 tcp trojans Members scan W32.Netsky.Z@mm (06.27.2004) - a Netsky variant that uses its own SMTP engine to email itself. Listens on port 665/tcp to receive and execute a file from an attacker.

Some other trojans also use this port: lpdw0rm, Shadow Phyre, ServU, Satans Back Door - SBD, NokNok, Cain & Abel, Back Construction, BLA trojan, th3r1pp3rz (= Therippers)
 666 tcp,udp doom Members scan Used by the game Doom (ID Software), however, because of the cool connotations, this port is also used by numerous trojan horses/backdoors.
Here is a list: Attack FTP, Back Construction, BLA trojan, Cain & Abel, NokNok, Satans Back Door - SBD, ServU, Shadow Phyre, th3r1pp3rz (the rippers), lpdw0rm.
Backdoor.FTP_Ana.C - backdoor trojan, 03.2003. Affects all current Windows versions.
Backdoor.Checkesp - backdoor trojan, 06.2003. Affects all current Windows versions.
Backdoor.Private - backdoor trojan, 05.2003. Affects all current Windows versions.
W32.Dreffort (04.05.2005) - Infects .exe and .scr files, deletes files on Dec. 29th. Also opens a backdoor on the 29th of each month on port 666/tcp.
Backdoor.Microkos (08.10.2005) - a trojan that opens a backdoor on the compromised computer. It listens for remote commands on port 65111/tcp, and can also open an additional backdoor on port 666/tcp.
Backdoor.Beasty - a backdoor Trojan horse that allows complete access to an infected computer. By default, the Trojan listens on port 666 and notifies the hacker through ICQ.

Dark and Light also uses this port.
 667 tcp trojans Premium scan SniperNet remote access trojan, 02.2000. Affects Windows 9x
 668 tcp trojans Premium scan Unicorn, th3r1pp3rz
 669 tcp trojans Premium scan Trojans that use this port: DP trojan , SniperNet

Port is also IANA assigned for: MeRegister
 674 tcp ACAP Premium scan ACAP -- Application Configuration Access Protocol

References: RFC2244, RFC2595, RFC2636
 680 tcp trojan Premium scan RTB 666
 683 udp games not scanned Delta Force
 689 tcp,udp nmap not scanned A vulnerability in the way Novell NetMail handles NMAP "STOR" commands may cause a buffer overflow that may allow remote execution of arbitrary code. Novell NetMail's implementation of the Network Messaging Application Protocol (NMAP) contains a buffer overflow that may occur when processing parameters supplied to the "STOR" command. An attacker must login to an affected system in order to take advantage of this vulnerability. The vulnerable daemon, nmapd.exe, binds to port 689/tcp.
References: [CVE-2006-6424], [BID-21725]

IANA registered for: NMAP
 692 tcp trojan Premium scan GayOL trojan
 694 udp applications not scanned XHA (Linux-HA) on the BlueCat Networks Adonis DNS/DHCP Appliance 5.0.2.8 allows remote attackers to cause a denial of service (heartbeat control process crash) via a UDP packet to port 694.
References: [CVE-2007-4205]

Multiple format string vulnerabilities in heartbeat 0.4.9 and earlier (claimed as buffer overflows in some sources) allow remote attackers to execute arbitrary code via certain packets to UDP port 694 (incorrectly claimed as TCP in some sources).
References: [CVE-2002-1215] [BID-5955]

Port is also IANA registered for ha-cluster.
 699 tcp games not scanned City of Heroes
 700 udp buddyphone not scanned Port used by BuddyPhone Internet Telephony software. Also uses TCP range 5000-5111.
 700 tcp trojan Premium scan REx

Extensible Provisioning Protocol (TCP/UDP) (IANA official) [RFC 5734]
 701 udp applications not scanned Blubster 2.5 allows remote attackers to cause a denial of service (crash) via a flood of connections to UDP port 701.
References: [CVE-2003-0760], [BID-8482]

Port is also IANA registered for Link Management Protocol (LMP) [RFC 4204]
 702 tcp,udp iris-beep not scanned IRIS over BEEP (IANA official) [RFC 3983]
 705 tcp agentx not scanned RealNetworks Helix Server is vulnerable to a denial of service, caused by an error in the SNMP Master Agent process (master.exe). By establishing and immediately closing a TCP connection on port 705, a remote attacker could exploit this vulnerability to cause the service to terminate.
References: [XFDB-74674], [BID-52929]

IANA registered for: AgentX
 712 tcp,udp tbrpf not scanned TBRPF (IANA official) [RFC 3684]
 714 tcp,udp iris-xpcs not scanned IRIS over XPCS (IANA official) [RFC 4992]
 715 tcp,udp iris-lwz not scanned IRIS-LWZ (IANA official) [RFC 4993]
 716 udp pana not scanned PANA Messages (IANA official) [RFC 5191]
 722 tcp,udp applications not scanned A FreeBSD patch for SSH on 2000-01-14 configures ssh to listen on port 722 as well as port 22, which might allow remote attackers to access SSH through port 722 even if port 22 is otherwise filtered.
References: [CVE-2000-0532], [BID-1323]
 749 tcp,udp kerberos not scanned Kerberos administration
Related ports: 88,464,543,544,751
 751 tcp,udp pump not scanned Port used by kerberos_master, Kerberos 'kadmin' (v4) authentication.
IANA assigned to: pump
 777 tcp multiling-http Members scan Trojans that use this port: AimSpy (AIM trojan), Un-Detected ( a.k.a. Backdoor.TDS, 4Fuk, Trojan.Win32.TrojanRunner.Levil, U4 ).

Heap-based buffer overflow in HistorySvr.exe in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a long request to TCP port 777.
References: [CVE-2011-0406], [BID-45727]

Port also IANA registered for Multiling HTTP
 778 tcp trojan Premium scan BackDoor.Netcrack.B
 785 tcp trojan Premium scan NetworkTerrorist
 798 tcp trojan Premium scan Oracle
 799 tcp applications not scanned Remotely Possible (ControlIT)
 800 tcp trojan Premium scan NeuroticKitten
 801 tcp games not scanned Dark Ages of Camelot

Stack consumption vulnerability in WebContainer.exe 1.0.0.336 and earlier in SLMail Pro 6.3.1.0 and earlier allows remote attackers to cause a denial of service (daemon crash) via a long request header in an HTTP request to TCP port 801.
References: [CVE-2008-1689], [BID-28505]

WebContainer.exe 1.0.0.336 and earlier in SLMail Pro 6.3.1.0 and earlier allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a long URI in HTTP requests to TCP port 801. NOTE: some of these details are obtained from third party information.
References: [CVE-2008-1690] [BID-28505] [SECUNIA-29614]

device (IANA official)
 808 tcp trojan Premium scan WinHole trojan

Progea Movicon is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when handling the Content-Length header. By sending a specially-crafted request to TCP port 808, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2011-3491], [BID-49605]

Port is also used by Microsoft Net.TCP Port Sharing Service
 809 tcp,udp applications not scanned Wingate VPN
 815 tcp,udp trojan not scanned Everyone's Darling trojan horse
 829 tcp trojans Premium scan Backdoor.Uzbet (2003.07.17) - a trojan that runs as a proxy server under Windows 2000/XP

Port used by CMP (Certificate Management Protocol) (unofficial) for managing Public Key Infrastrictures (PKI) based on X.509v3 certificates.

Port also IANA registered for PKIX-3 CA/RA
 830 tcp,udp netconf-ssh not scanned NETCONF over SSH (IANA official) [RFC 6242]
 831 tcp trojan Premium scan NeuroticKat

NETCONF over BEEP (IANA official) [RFC 4744]
 832 tcp,udp netconfsoaphttp not scanned NETCONF for SOAP over HTTPS (IANA official) [RFC 4743]
 833 tcp,udp netconfsoapbeep not scanned NETCONF for SOAP over BEEP (IANA official) [RFC 4743]
 843 tcp applications not scanned Adobe Flash socket policy server
 848 udp applications not scanned The default configuration of the Group Encrypted Transport VPN (GET VPN) feature on Cisco IOS uses an improper mechanism for enabling Group Domain of Interpretation (GDOI) traffic flow, which allows remote attackers to bypass the encryption policy via certain uses of UDP port 848, aka Bug ID CSCui07698.
References: [CVE-2013-3436]

GDOI (TCP/UDP) (IANA official) [RFC 3547]
 853 tcp,udp domain-s not scanned DNS query-response protocol [IESG] [RFC7858]
 854 tcp,udp dlep not scanned IANA registered for: Dynamic Link Exchange Protocol (DLEP)
 860 tcp,udp iscsi not scanned iSCSI (IANA official) [RFC 7143]
 861 tcp,udp owamp-control not scanned OWAMP-Control (IANA official) [RFC 4656]
 862 tcp,udp twamp-control not scanned Two-way Active Measurement Protocol (TWAMP) Control (IANA official) [RFC 5357]
 873 tcp applications not scanned QNAP NAS uses the following ports:
Web server: 80,8081 TCP and 443,8080 TCP (web admin)
FTP/SFTP/SSH: 20,21,22 TCP and 13131 TCP (telnet)
Remote Replication: 873,8899 TCP
VPN server: 1723 TCP (PPTP), 1194 UDP (OpenVPN)
CloudLink: port 20001 UDP (optional, only required for access without manual port forwarding)

The ANTlabs InnGate firmware on IG 3100, IG 3101, InnGate 3.00 E, InnGate 3.01 E, InnGate 3.02 E, InnGate 3.10 E, InnGate 3.01 G, and InnGate 3.10 G devices does not require authentication for rsync sessions, which allows remote attackers to read or write to arbitrary files via TCP traffic on port 873.
References: [CVE-2015-0932]

F5 BIG-IP could allow a remote attacker to execute arbitrary code on the system, caused by an error within the ConfigSync Access Control Handler component. By connecting to the rsync service on TCP port 873, an attacker could exploit this vulnerability to gain read or write access to the system and execute arbitrary code on the system with root privileges.
References: [XFDB-95624], [EDB-34465], [CVE-2014-2927]
 880 tcp trojan not scanned Common Port for phishing scam sites
 890 tcp trojans not scanned Backdoor.Dsklite (2003.07.01) - a backdoor trojan horse that gives the author of the trojan full access to an infected computer. By default, this trojan listens on port 890.

Vulnerabilities listed: 100 (some use multiple ports)
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About