The Broadband Guide
SG
search advanced

Vulnerable Ports

This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats. We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please . Any feedback and suggestions can also be posted to our Security forum.

 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 |....| 54 
Port(s) Protocol Service Scan level Description
 458 tcp,udp applications not scanned QuickTime Conferencing (MovieTalk)
 464 tcp,udp kpasswd not scanned Kerberos (v5)
Related ports: 88,543,544,749

A vulnerability has been reported in Kerberos, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to the kpasswd application not properly handling malformed UDP packets and can be exploited to exhaust CPU and network resources via the UDP "ping-pong" attack on port 464.
References: [CVE-2002-2443], [SECUNIA-53375]
 465 tcp smtp-ssl Premium scan Outgoing SMTP Mail over SSL (SMTPS) [RFC 2487] - older IANA registered port, largely replaced by port 587 and SMTP over TLS.

PlayStation Network and SCEA Game Servers use this port

Datalust Seq.App.EmailPlus (aka seq-app-htmlemail) 3.1.0-dev-00148, 3.1.0-dev-00170, and 3.1.0-dev-00176 can use cleartext SMTP on port 25 in some cases where encryption on port 465 was intended.
References: [CVE-2021-43270]

Message Submission over TLS protocol [RFC8314] (IANA official)
 465 udp igmpv3lite not scanned Cisco IOS 15.2S allows remote attackers to cause a denial of service (interface queue wedge) via malformed UDP traffic on port 465, aka Bug ID CSCts48300.
References: [CVE-2011-4015]

IGMP over UDP for SSM (IANA official)
 476-490 tcp,udp applications not scanned Centro Software ERP ports
 496 udp pim-rp-disc not scanned A vulnerability in the Protocol Independent Multicast (PIM) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause the PIM process to restart, resulting in a denial of service condition on an affected device. The vulnerability is due to the incorrect processing of crafted AutoRP packets. An attacker could exploit this vulnerability by sending crafted packets to port UDP 496 on a reachable IP address on the device. A successful exploit could allow the attacker to cause the PIM process to restart. Software versions prior to 6.2.3, 6.3.2, 6.4.0, and 6.5.1 are affected.
References: [CVE-2019-1712]

IANA registered for: PIM-RP-DISC
 497 tcp,udp applications not scanned retroclient.exe in EMC Dantz Retrospect Backup Client 7.5.116 allows remote attackers to cause a denial of service (daemon crash) via malformed packets to TCP port 497, which trigger a NULL pointer dereference and memory corruption.
References: [CVE-2008-3287] [CVE-2008-3290] [BID-30306] [BID-30313] [SECUNIA-31186]

Buffer overflow in EMC Retrospect Client 5.1 through 7.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet to port 497.
References: [CVE-2006-2391] [BID-17948] [SECUNIA-20080]

EMC Dantz Retrospect 7 backup client 7.0.107, and other versions before 7.0.109, and 6.5 before 6.5.138 allows remote attackers to cause a denial of service (client termination and loss of backup service) via a malformed packet to TCP port 497, which triggers an assert error.
References: [CVE-2006-0995] [BID-16933] [SECUNIA-19097]

Port is IANA registered for: Dantz Retrospect backup and restore service [Retrospect Inc]
 500 tcp,udp ipsec Members scan IPSec (VPN tunneling) uses the following ports:
500/udp - Internet Key Exchange (IKE)
4500/udp - NAT traversal
500/tcp - sometimes used for IKE over TCP
See also:
port 1701 (L2TP)
port 1723 (PPTP)

Some Apple applications use this port as well: Mac OS X Server VPN service, Back to My Mac (MobileMe, Mac OS X v10.5 or later).

Xbox 360 (LIVE) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP
Xbox One (LIVE) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP, 500 UDP, 3544 UDP, 4500 UDP

isakmp_sub_print in tcpdump 3.6 through 3.7.1 allows remote attackers to cause a denial of service (CPU consumption) via a certain malformed ISAKMP packet to UDP port 500, which causes tcpdump to enter an infinite loop.
References: [CVE-2003-0108] [BID-6974]

Microsoft Windows XP allows remote attackers to cause a denial of service (CPU consumption) by flooding UDP port 500 (ISAKMP).
References: [CVE-2002-2117]

Snapgear Lite+ firewall 1.5.3 allows remote attackers to cause a denial of service (IPSEC crash) via a zero length packet to UDP port 500.
References: [CVE-2002-0603] [BID-4659]

Cisco Wireless LAN Controller is vulnerable to a denial of service, caused by an error when handling Internet Key Exchange (IKE) messages. By sending a specially-crafted IKE packet to UDP Port 500, a remote attacker could exploit this vulnerability to cause the device to crash and reload.
References: [CVE-2010-0574] [XFDB-61666] [BID-43059]

A vulnerability in MikroTik Version 6.38.5 could allow an unauthenticated remote attacker to exhaust all available CPU via a flood of UDP packets on port 500 (used for L2TP over IPsec), preventing the affected router from accepting new connections; all devices will be disconnected from the router and all logs removed automatically.
References: [CVE-2017-8338], [XFDB-126179]

Vodafone Sure Signal also uses this port
 502 tcp asa-appl-proto not scanned Phoenix Contact FL IL 24 BK-PAC allows remote attackers to cause a denial of service (hang) via unspecified manipulations as demonstrated by a Nessus scan or (2) malformed input to TCP port 502.
References: [CVE-2008-7199]

The modbus_125_handler function in the Schneider Electric Quantum Ethernet Module on the NOE 771 device (aka the Quantum 140NOE771* module) allows remote attackers to install arbitrary firmware updates via a MODBUS 125 function code to TCP port 502.
References: [CVE-2011-4861]

Unspecified vulnerability in the Modbus/TCP Diagnostic function in MiniHMI.exe for the Automated Solutions Modbus Slave ActiveX Control before 1.5 allows remote attackers to corrupt the heap and possibly execute arbitrary code via malformed Modbus requests to TCP port 502.
References: [CVE-2007-4827] [BID-25713] [OSVDB-38259]

Triangle Research International (aka Tri) Nano-10 PLC devices with firmware before r81 use an incorrect algorithm for bounds checking of data in Modbus/TCP packets, which allows remote attackers to cause a denial of service (networking outage) via a crafted packet to TCP port 502.
References: [CVE-2013-2784]

Triangle Research International (aka Tri) Nano-10 PLC devices with firmware r81 and earlier do not properly handle large length values in MODBUS data, which allows remote attackers to cause a denial of service (transition to the interrupt state) via a crafted packet to TCP port 502.
References: [CVE-2013-5741], [OSVDB-97728], [SECUNIA-55782]

Schneider Electric Modicon TM221CE16R 1.3.3.3 devices allow remote attackers to discover the application-protection password via a \x00\x01\x00\x00\x00\x05\x01\x5a\x00\x03\x00 request to the Modbus port (502/tcp). Subsequently the application may be arbitrarily downloaded, modified, and uploaded.
References: [CVE-2017-7575], [BID-97523]

The Auto-Maskin products utilize an undocumented custom protocol to set up Modbus communications with other devices without validating those devices. The originating device sends a message in plaintext, 48:65:6c:6c:6f:20:57:6f:72:6c:64, "Hello World" over UDP ports 44444-44446 to the broadcast address for the LAN. Without verification devices respond to any of these broadcast messages on the LAN with a plaintext reply over UDP containing the device model and firmware version. Following this exchange the devices allow Modbus transmissions between the two devices on the standard Modbus port 502 TCP. Impact: An attacker can exploit this vulnerability to send arbitrary messages to any DCU or RP device through spoofing or replay attacks as long as they have access to the network. Affected releases are Auto-Maskin DCU-210E RP-210E: Versions prior to 3.7 on ARMv7.
References: [CVE-2018-5400]

An issue was discovered on TENGCONTROL T-920 PLC v5.5 devices. It allows remote attackers to cause a denial of service (persistent failure mode) by sending a series of \x19\xb2\x00\x00\x00\x06\x43\x01\x00\xac\xff\x00 (aka UID 0x43) requests to TCP port 502.
References: [CVE-2019-9590], [XFDB-158222]

Carel pCOWeb HVAC could allow a remote attacker to bypass security restrictions, caused by no authentication mechanism required for Modbus interface on TCP port 502. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
References: [XFDB-170822]

IANA registered for: Modbus Application Protocol, asa-appl-proto
 510 tcp trojans Premium scan T0rnkit sshd backdoor
 511 tcp Premium scan Part of rootkit t0rn, a program called "leeto's socket daemon" runs at this port.
 512 tcp applications not scanned Act P202S VoIP WiFi phone undocumented open port, multiple vulnerabilities.
References: [CVE-2006-0374], [CVE-2006-0375], [BID-16288]
 513 udp applications not scanned Multiple buffer overflows in the Syslog server in ManageEngine EventLog Analyzer 6.1 allow remote attackers to cause a denial of service (SysEvttCol.exe process crash) or possibly execute arbitrary code via a long Syslog PRI message header to UDP port 513 or 514.
References: [CVE-2010-4840]
 513 tcp trojans Premium scan ADM worm, Grlogin

UTStarcom F1000 VOIP WIFI Phone s2.0 running VxWorks 5.5.1 with kernel WIND 2.6 does not allow users to disable access to (1) SNMP or (2) the rlogin port TCP 513, which allows remote attackers to exploit other vulnerabilities such as CVE-2005-3716, or execute arbitrary shell commands via rlogin, which does not require authentication.
References: [CVE-2005-3718] [SECUNIA-17629] [BID-15476]

The Emerson DeltaV SE3006 through 11.3.1, DeltaV VE3005 through 10.3.1 and 11.x through 11.3.1, and DeltaV VE3006 through 10.3.1 and 11.x through 11.3.1 allow remote attackers to cause a denial of service (device restart) via a crafted packet on (1) TCP port 23, (2) UDP port 161, or (3) TCP port 513.
References: [CVE-2012-4703]
 514 tcp shell Members scan Used by rsh and (also rcp), interactive shell without any logging.

Citrix NetScaler appliance MAS syslog port.

Splunk (big data analysis software) uses the following ports by default:
514 - network input port
8000 - web port (clients accessing the Splunk search page)
8080 - index replication port
8089 - management port (splunkd, aslo used by deployment server)
9997 - indexing port (web interface)
9998 - SSL port

Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)


Games that use this port: America's Army

Malware using this port: RPC Backdoor, Whacky, ADM worm

Stack-based buffer overflow in Mike Dubman Windows RSH daemon (rshd) 1.7 allows remote attackers to execute arbitrary code via a long string to the shell port (514/tcp). NOTE: this might overlap [CVE-2007-4006].
References: [CVE-2007-4005] [BID-25044] [SECUNIA-26197]

Denicomp RSHD 2.18 and earlier allows a remote attacker to cause a denial of service (crash) via a long string to port 514.
References: [CVE-2001-0707]

A vulnerability has been reported in Cisco IOS, which can be exploited to cause a DoS (Denial of Service). The vulnerability is caused due to TCP connection information not being properly validated when connecting to a protocol translation resource and can be exploited to cause a reload via specially crafted packets sent to TCP ports 514 or 544. Successful exploitation requires a vulnerable protocol translation configuration or a Telnet-to-PAD protocol translation ruleset to be configured.
References: [CVE-2013-1147] [SECUNIA-52785]
 514 udp applications Premium scan Ooma VoIP - uses UDP port 1194 (VPN tunnel to the Ooma servers for call/setup control), ports 49000-50000 for actual VoIP data, and ports TCP 443, UDP 514, UDP 3480

Multiple buffer overflows in the Syslog server in ManageEngine EventLog Analyzer 6.1 allow remote attackers to cause a denial of service (SysEvttCol.exe process crash) or possibly execute arbitrary code via a long Syslog PRI message header to UDP port 513 or 514.
Reference: [CVE-2010-4840]

Stack-based buffer overflow in the Syslog service (nssyslogd.exe) in Enterasys Network Management Suite (NMS) before 4.1.0.80 allows remote attackers to execute arbitrary code via a long PRIO field in a message to UDP port 514.
References: [CVE-2011-5227] [SECUNIA-47263]

Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-login randomly created password (from the "zmprove ca" command). It is visible in cleartext on port UDP 514 (aka the syslog port).
References: [CVE-2022-32294]
 515 tcp printer Premium scan Printing services, listening for incoming connections

Trojans using this port: MscanWorm, lpdw0rm, Ramen.

Multiple buffer overflows in Client Software WinCom LPD Total 3.0.2.623 and earlier allow remote attackers to execute arbitrary code via a long 0x02 command to the remote administration service on TCP port 13500 or a long invalid control filename to LPDService.exe on TCP port 515.
References: [CVE-2008-5176], [BID-27614]

Stack-based buffer overflow in Winlpd 1.26 allows remote attackers to execute arbitrary code via a long string in a request to TCP port 515.
References: [CVE-2006-3670] [SECUNIA-21058] [BID-19011] [OSVDB-27332]

Buffer overflow in NIPrint 4.10 allows remote attackers to execute arbitrary code via a long string to TCP port 515.
References: [CVE-2003-1141] [BID-8968] [OSVDB-2774] [SECUNIA-10143]

SAPlpd through 7400.3.11.33 in SAP GUI 7.40 on Windows has a Denial of Service vulnerability (service crash) with a long string to TCP port 515.
References: [CVE-2016-10079], [EDB-41030]

spooler (IANA official)
 520 udp router Premium scan RIP (Routing Information Protocol). Routers use RIP in order to advertise routing information to each other and communicate optimal paths.

References: [RFC 1058] & [RFC 2453]

Cisco NX-OS is vulnerable to a denial of service, caused by an error in the Routing Information Protocol (RIP) service engine. By sending a specially-crafted RIPv4 or RIPv6 message to UDP port 520, a remote attacker could exploit this vulnerability to cause the RIP service engine to restart.
References: [CVE-2012-4091] [XFDB-87669] [BID-62838]

A UDP backdoor also uses this port.
 520 tcp efs not scanned ISC DHCP server 4.2 before 4.2.0-P2, when configured to use failover partnerships, allows remote attackers to cause a denial of service (communications-interrupted state and DHCP client service loss) by connecting to a port that is only intended for a failover peer, as demonstrated by a Nagios check_tcp process check to TCP port 520.
References: [CVE-2010-3616], [BID-45360]

Port IANA registered for Extended File Name Server
 522 tcp applications Members scan ULP (User Locator Service) used by collaborative apps and web video conferencing servers to locate and track active users.
 523 udp ibm-db2 not scanned The DB2 Discovery Service for IBM DB2 before FixPak 10a allows remote attackers to cause a denial of service (crash) via a long packet to UDP port 523.
References: [CVE-2003-0827]

IBM-DB2 (TCP/UDP) (IANA official)
 524 tcp,udp applications not scanned Citrix Sign-on plugin/service uses port 524 TCP/UDP for ZEN works communication.

Unspecified vulnerability in the NCP service in Novell eDirectory 8.8.5 before 8.8.5.6 and 8.8.6 before 8.8.6.2 allows remote attackers to cause a denial of service (hang) via a malformed FileSetLock request to port 524.
References: [CVE-2010-4327], [BID-46263]
 527 tcp,udp stx not scanned Stock IXChange [Fraxion Software] (IANA official)
 528 tcp,udp custix not scanned Customer IXChange [Fraxion Software] (IANA official)
 530 tcp trojan Premium scan W32.kibuv.worm
 531 tcp chat Premium scan Port used by IRC chat

Trojans using this port: Rasmin, Net666
 535 udp CORBA IIOP Premium scan Common Object Request Broker Architecture (CORBA) is an object-oriented remote procedure call (RPC) system. If you are on a cable-modem or DSL VLAN, then you may see broadcasts to this port. CORBA broadcasts send out information that can often be used to hack back into the systems generating these broadcasts.
 540 tcp uucp Members scan a famous file transfer service, potential vulnerability.
 541 tcp,udp uucp-rlogin not scanned Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)

Fortinet FortiGate and FortiWiFi 4.00.6 and possibly earlier versions are susceptible to man-in-the-middle attacks and a heap-based overflow vulnerability. The vulnerabilities exist in the FortiManager service running on TCP port 541.
References: [CVE-2014-2216], [CVE-2014-0351]

IANA registered for: uucp-rlogin
 542 commerce not scanned Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)


Commerce Applications (IANA official)
 543 tcp klogin not scanned Kerberos login
Related ports: 88,464,544,749,751
 544 tcp kshell not scanned Kerberos remote shell
Related ports: 88,464,543,749,751

A vulnerability has been reported in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to TCP connection information not being properly validated when connecting to a protocol translation resource and can be exploited to cause a reload via specially crafted packets sent to TCP ports 514 or 544. Successful exploitation requires a vulnerable protocol translation configuration or a Telnet-to-PAD protocol translation ruleset to be configured.
References: [CVE-2013-1147] [SECUNIA-52785]
 545 tcp aspentech not scanned AspenTech Cim-IO uses this port for their industrial communications (process historian). PI 3 server uses port 5450 and PI 2 server uses port 545.
 546 tcp,udp DHCP Premium scan DHCP(v6) Client
 547 tcp,udp DHCP Premium scan DHCP(v6) Server
 548 tcp afpovertcp not scanned AppleShare, Personal File Sharing, Apple File Service

ExtremeZ-IP.exe in ExtremeZ-IP File and Print Server 5.1.2x15 and earlier allows remote attackers to cause a denial of service (daemon crash) via an invalid UAM field in a request to the Apple Filing Protocol (AFP) service on TCP port 548.
References: [CVE-2008-0759], [BID-27718]

Novell Netware is vulnerable to a denial of service, caused by a NULL pointer dereference in the AFPTCP.nlm module. By sending a specially-crafted AFP request to TCP port 548, a remote attacker could exploit this vulnerability to cause the application to crash.
References: [CVE-2010-0317], [XFDB-55389], [BID-37616], [OSVDB-61604]
 551 tcp cybercash Premium scan Backdoor.Amitis [Symantec-2003-010717-1940-99] (2003.01.07) Windows remote access trojan. Listens on ports 27, 551. Other variants of Backdoor.Amitis also use ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429.


cybercash [Donald E Eastlake] [RFC 1898] (IANA official)
 554 tcp ms-rtsp Members scan Port used by Real Time Streaming Protocol (RTSP) for Microsoft Windows Media streaming services and QuickTime Streaming Server (QTSS).

RTSP uses the following ports:
554 TCP - used for accepting incoming RTSP client connections and for delivering data packets to clients that are streaming by using RTSPT.
5004 UDP - used for delivering data packets to clients that are streaming by using RTSPU.
5005 UDP - used for receiving packet loss information from clients and providing synchronization information to clients that are streaming by using RTSPU.

Multiple Vivotek IP Camera products could allow a remote attacker to bypass security restrictions, caused by the improper validation of input. If RTSP authentication is set to basic, an attacker could send a specially-crafted request to TCP port 554 in order to bypass authentication and gain access to the RTSP live video stream.
References: [CVE-2013-4985] [XFDB-88567] [EDB-29516]

Multiple Vivotek IP Cameras products could allow a remote attacker to bypass security restrictions, caused by the failure to restrict access to the video stream. By sending specially-crafted RTSP packets to TCP port 554, an attacker could exploit this vulnerability to access the video stream without authentication.
References: [CVE-2013-1596] [XFDB-83945] [BID-59574]

See also: port 1755 - Microsoft Media Server (MMS) protocol
 555 tcp dsf Members scan Trojans that use this port: 711 trojan (Seven Eleven), Ini-Killer, Net Administrator (NeTadmin), Phase Zero, Stealth Spy

Stack-based buffer overflow in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 555.
References: [CVE-2012-1830]

Siklu EtherHaul could allow a remote attacker to execute arbitrary commands on the system. By connecting to port 555 via telnet, an attacker could exploit this vulnerability to execute arbitrary commands on the system and obtain sensitive information.
References: [CVE-2017-7318], [XFDB-122267]

Backdoor.Win32.Phase.11 / Unauthenticated Remote Command Execution - the phAse zero server v1.1 by njord of kr0me corp listens on TCP port 555. Third-party attackers who can reach an infected system can run commands made available by the malware and execute arbitrary programs further compromising the host. Using telnet to connect worked best, to start programs you need to pass an "S" argument preceding the program name like... EXEC S PROGRAM_NAME. Other commands are CURDIR, SHOWMSG etc. The ftpd command can also be initiated to third-party FTP servers to download tools to the infected host.
References: [MVID-2021-0428]
 559 tcp trojans Premium scan Port used by Domwis remote access trojan. Creates a backdoor and spam proxy on port 559.

Backdoor.Solufina [Symantec-2005-030813-5906-99] also uses this port.
 563 tcp,udp applications not scanned NNTP protocol over TLS/SSL (NNTPS)
 564 tcp trojan Premium scan Oracle
 569 udp games not scanned Delta Force II
 587 tcp smtp Members scan Outgoing SMTP Mail port (TLS/Start TLS Port) - used by various mail servers for relaying outgoing mail as a modern alternative to port 25. Gmail, Apple MobileMe Mail, Yahoo SMTP server, etc. all use this port. See [RFC2476]

IANA registered for: Message Submission (TCP/UDP)
 589 tcp trojan Premium scan Assasin trojan
 591 tcp,udp http-alt not scanned FileMaker, Inc. - HTTP Alternate
 593 tcp Members scan MS Security Bulletin [MS03-026] outlines a critical Buffer Overrun RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.
 600 tcp trojan Premium scan SweetHeart, Sadmind
 601 tcp,udp syslog-conn not scanned Reliable Syslog Service (IANA official) [RFC 3195]
 602 tcp,udp xmlrpc-beep not scanned XML-RPC over BEEP (IANA official) [RFC 3529]
 603 tcp,udp idxp not scanned IDXP (IANA official) [RFC 4767]
 604 tcp,udp tunnel not scanned TUNNEL (IANA official) [RFC 3620]
 605 tcp trojan Premium scan Secret Service Trojan

SOAP over BEEP [RFC 3288] (IANA official)
 606 tcp trojan Premium scan Secret Service trojan horse
 607 tcp games not scanned Operation Flashpoint, Railroad Tycoon 3
 608 udp sift-uft not scanned Directory traversal vulnerability in eFileGo 3.01 allows remote attackers to execute arbitrary code, read arbitrary files, and upload arbitrary files via a ... (triple dot) in (1) the URL on port 608 and (2) the argument to upload.exe.
References: [CVE-2005-4622] [BID-16124] [OSVDB-22151] [SECUNIA-18279]

Sender-Initiated/Unsolicited File Transfer (IANA official)
 620 tcp,udp games not scanned Dark and Light
 622 tcp games not scanned Dark Ages of Camelot
 623 tcp dmtf Members scan IPMI and BMC Remote Management Control Protocol (RMCP) systems typically use port 623/udp, but some servers also listen on port 623/tcp.

RTB 666 trojan

Citrix NetScaler appliance Lights out Management uses ports 4001, 5900, 623 TCP to run a daemon that offers unified configuration management of routing protocols.

Stack-based buffer overflow in the DPC Proxy server (DpcProxy.exe) in ASUS Remote Console (a.k.a. ARC or ASMB3) 2.0.0.19 and 2.0.0.24 allows remote attackers to execute arbitrary code via a long string to TCP port 623.
References: [CVE-2008-1491], [BID-28394]

Port is also IANA registered for DMTF out-of-band web services management protocol.
 623 udp ipmi Premium scan IMPI and BMC Remote Management Control Protocol (RMCP) systems use this port. HP, Dell, and SuperMicro IPMI 1.5 and 2.0 protocols, Intel Xserves Lights-Out-Monitoring (LOM) feature all use this port.
IPMI-based systems have a number of possible attack vectors, such as cleartext passwords, even anonymous access via impitool command to reset the password of any other user without authentication. IPMI 2.0 systems share the (SHA1 or MD5) password hash with unauthenticated clients, allowing for offline cracking. IPMI systems also store user passwords in cleartext, so a single compromised user can be used to trivially obtain even the strongest passwords for other accounts. SuperMicro BMCs are vulnerable to an additional overflow exploit in their UPnP SSDP service (UDP 1900) that will grant root access to the BMC.
See: [CVE-2013-4786], [CVE-2013-4038], [CVE-2013-4037], [CVE-2013-4031]

Cisco Unified Computing System is vulnerable to a buffer overflow, caused by improper bounds checking by the Intelligent Platform Management Interface (IPMI) implementation. By sending a specially-crafted request to UDP port 623, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2013-1183] [XFDB-83771] [BID-59453]
 624 tcp games not scanned Operation Flashpoint
 625 tcp dsproxy not scanned DirectoryService, Open Directory Assistant, Workgroup Manager.

Port is IANA registered for DEC DLM.
 626 tcp applications not scanned Apple IMAP Administration (Mac OS X Server 10.2.8 or earlier, AppleShare IP 6)
 629 tcp,udp ipcserver not scanned Mac OS X RPC-based services like NetInfo use this port.

Port is also IANA registered for 3Com AMP3
 631 tcp ipp not scanned Mac OS X Printer Sharing

Unknown vulnerability in the Internet Printing Protocol (IPP) implementation in CUPS before 1.1.19 allows remote attackers to cause a denial of service (CPU consumption from a "busy loop") via certain inputs to the IPP port (TCP 631).
References: [CVE-2003-0788] [BID-8952] [SECUNIA-10123]
 631 udp applications not scanned Double free vulnerability in the process_browse_data function in CUPS 1.3.5 allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via crafted UDP Browse packets to the cupsd port (631/udp), related to an unspecified manipulation of a remote printer. References: [CVE-2008-0882], [BID-27906], [SECUNIA-28994]

The Internet Printing Protocol (IPP) implementation in CUPS before 1.1.21 allows remote attackers to cause a denial of service (service hang) via a certain UDP packet to the IPP port. This can be exploited by sending an empty UDP datagram to port 631, which can cause cupsd to stop listening on that port.
References: [CVE-2004-0558] [SECUNIA-12556]

Port also IANA registered for IPP (Internet Printing Protocol)
 635 tcp,udp NFS mount Members scan RPC Remote filesystem access mount service - a very popular attack vector, often scanned for. Most scans on this port are UDP-based, but they are increasingly TCP-based (mountd runs on both ports simultaneously). Note that mountd can run at any port (for which you must first do a portmap lookup at port 111), it's just that Linux defaulted to port 635 in much the same way that NFS universally runs at port 2049.

ADM worm also uses this port (TCP).
 636 tcp ldaps Members scan LDAPS - Lightweight Directory Access Protocol over TLS/SSL. See also LDAP port 389/tcp.

VMWare, Siemens Openstage and Gigaset phones, etc.

Novell eDirectory and Netware are vulnerable to a denial of service, caused by the improper allocation of memory by the LDAP_SSL daemon. A remote attacker could exploit this vulnerability to cause a system-wide denial of service (over/on/using) port 636 TCP.
References: [XFDB-67468], [EDB-17298]

Cyclops Blink Botnet uses these ports. The malware has targeted governments, WatchGuard firewalls, ASUS routers, etc., it is active as of March 2022, and it is believed to be operated by the Sandworm threat group linked to Russian intelligence. Cyclops Blink botnet malware uses the following TCP ports: 636, 989, 990, 992, 994, 995, 3269, 8443
 639 tcp,udp msdp not scanned MSDP - Multicast Source Discovery Protocol
 641 tcp,udp proxy not scanned SupportSoft Nexus Remote Command (control/listening): A proxy gateway connecting remote control traffic
 646 tcp ldp not scanned McAfee ePO uses these ports:
80, 443, 8443, 8444 TCP - HTTP(S) traffic
389, 646 - LDAP, LDAPS
881 TCP - receiving security threat feed
1433 TCP, 1434 UDP - communication with SQL server
8081 TCP - outbound wakeup requests from the McAfee ePO server
8082 UDP - outbound traffic from superagents forwarding server messages

LDP, Label Distribution Protocol, a routing protocol used in MPLS networks (official)
 650 tcp trojan Premium scan Assasin

The telnet administrator service running on port 650 on Gigaset DX600A v41.00-175 devices does not implement any lockout or throttling functionality. This situation (together with the weak password policy that forces a 4-digit password) allows remote attackers to easily obtain administrative access via brute-force attacks.
References: [CVE-2021-25309]
 650 udp games not scanned Black and White
 653 tcp,udp proxy not scanned SupportSoft Nexus Remote Command (data): A proxy gateway connecting remote control traffic
 654 tcp trojans Premium scan Official use by AODV (Ad-hoc On-demand Distance Vector)
Port also used by HoaVelu trojan
 655 tcp,udp tinc not scanned Stack-based buffer overflow in the receive_tcppacket function in net_packet.c in tinc before 1.0.21 and 1.1 before 1.1pre7 allows remote authenticated peers to cause a denial of service (crash) or possibly execute arbitrary code via a large TCP packet.
References: [CVE-2013-1428], [EDB-35441], [BID-59369]

IANA registered for: TINC
 660 tcp,udp mac-srvr-admin not scanned Mac OS X Server administration

Zaratustra trojan also uses this port (TCP).

Buffer overflow in the GUI admin service in Mac OS X Server 10.3 allows remote attackers to cause a denial of service (crash and restart) via a large amount of data to TCP port 660.
References: [CVE-2004-1832], [BID-9914]

Backdoor.Win32.Zaratustra / Unauthenticated Remote File Write (Remote Code Exec) - Zaratustra malware listens on TCP port 660. Third-party attackers who can reach infected systems can use a socket program to write binary data to execute. The malware then writes that data to a file named "x.exe" under c: drive and will execute upon completion of the downloaded code.
References: [MVID-2021-0315]
 661 tcp trojan Premium scan NokNok trojan
 665 tcp trojans Members scan W32.Netsky.Z@mm [Symantec-2004-042110-2302-99] (2004.04.21) - a Netsky variant that uses its own SMTP engine to email itself. Listens on port 665/tcp to receive and execute a file from an attacker.

Some other trojans also use this port: lpdw0rm, Shadow Phyre, ServU, Satans Back Door - SBD, NokNok, Cain & Abel, Back Construction, BLA trojan, th3r1pp3rz (= Therippers)
 666 tcp,udp doom Members scan Doom game (ID Software) uses this port.
Dark and Light [game] uses this port.

Because of the cool connotations, this port is also used by numerous trojan horses/backdoors. Here is a list:
Attack FTP, Back Construction, BLA trojan, Cain & Abel, NokNok, Satans Back Door - SBD, ServU, Shadow Phyre, th3r1pp3rz (the rippers), lpdw0rm, Satanz Backdoor.
Backdoor.FTP_Ana.C [Symantec-2003-032708-3955-99] (2003.03.27) - Windows backdoor trojan.
Backdoor.Checkesp [Symantec-2003-060315-1236-99] (2003.06.03] - Windows backdoor trojan, 06.2003.
Backdoor.Private [Symantec-2003-052715-2101-99] (2003.05.27) - Windows backdoor trojan.
W32.Dreffort [Symantec-2005-040514-2341-99] (2005.04.05) - Infects .exe and .scr files, deletes files on Dec. 29th. Also opens a backdoor on the 29th of each month on port 666/tcp.
Backdoor.Microkos [Symantec-2005-081015-0341-99] (2005.08.10) - a trojan that opens a backdoor on the compromised computer. It listens for remote commands on port 65111/tcp, and can also open an additional backdoor on port 666/tcp.
Backdoor.Beasty [Symantec-2003-011711-1226-99] - a backdoor Trojan horse that allows complete access to an infected computer. By default, the Trojan listens on port 666 and notifies the hacker through ICQ.
 667 tcp trojans Premium scan SniperNet remote access trojan, 02.2000. Affects Windows 9x
 668 tcp trojans Premium scan Unicorn, th3r1pp3rz
 669 tcp trojans Premium scan Trojans that use this port: DP trojan , SniperNet

Port is also IANA assigned for: MeRegister
 674 tcp ACAP Premium scan ACAP -- Application Configuration Access Protocol

References: RFC2244, RFC2595, RFC2636
 680 tcp trojan Premium scan RTB 666
 683 udp games not scanned Delta Force
 684 tcp,udp corba-iiop-ssl not scanned CORBA IIOP SS (IANA official)
 689 tcp,udp nmap not scanned A vulnerability in the way Novell NetMail handles NMAP "STOR" commands may cause a buffer overflow that may allow remote execution of arbitrary code. Novell NetMail's implementation of the Network Messaging Application Protocol (NMAP) contains a buffer overflow that may occur when processing parameters supplied to the "STOR" command. An attacker must login to an affected system in order to take advantage of this vulnerability. The vulnerable daemon, nmapd.exe, binds to port 689/tcp.
References: [CVE-2006-6424], [BID-21725]

IANA registered for: NMAP
 692 tcp trojan Premium scan GayOL trojan
 694 udp applications not scanned XHA (Linux-HA) on the BlueCat Networks Adonis DNS/DHCP Appliance 5.0.2.8 allows remote attackers to cause a denial of service (heartbeat control process crash) via a UDP packet to port 694.
References: [CVE-2007-4205]

Multiple format string vulnerabilities in heartbeat 0.4.9 and earlier (claimed as buffer overflows in some sources) allow remote attackers to execute arbitrary code via certain packets to UDP port 694 (incorrectly claimed as TCP in some sources).
References: [CVE-2002-1215] [BID-5955]

Port is also IANA registered for ha-cluster.
 699 tcp games not scanned City of Heroes
 700 udp buddyphone not scanned Port used by BuddyPhone Internet Telephony software. Also uses TCP range 5000-5111.
 700 tcp trojan Premium scan REx

Extensible Provisioning Protocol (TCP/UDP) (IANA official) [RFC 5734]
 701 udp applications not scanned Blubster 2.5 allows remote attackers to cause a denial of service (crash) via a flood of connections to UDP port 701.
References: [CVE-2003-0760], [BID-8482]

Port is also IANA registered for Link Management Protocol (LMP) [RFC 4204]
 702 tcp,udp iris-beep not scanned IRIS over BEEP (IANA official) [RFC 3983]
 703 tcp,udp fortigate not scanned Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)
 704 tcp,udp elcsd not scanned errlog copy/server daemon (IANA official)
 705 tcp agentx not scanned RealNetworks Helix Server is vulnerable to a denial of service, caused by an error in the SNMP Master Agent process (master.exe). By establishing and immediately closing a TCP connection on port 705, a remote attacker could exploit this vulnerability to cause the service to terminate.
References: [XFDB-74674], [BID-52929]

An Exposure of System Data vulnerability in Juniper Networks Junos OS and Junos OS Evolved, where a sensitive system-level resource is not being sufficiently protected, allows a network-based unauthenticated attacker to send specific traffic which partially reaches this resource. A high rate of specific traffic may lead to a partial Denial of Service (DoS) as the CPU utilization of the RE is significantly increased. The SNMP Agent Extensibility (agentx) process should only be listening to TCP port 705 on the internal routing instance. External connections destined to port 705 should not be allowed. This issue affects: Juniper Networks Junos OS: 15.1 versions prior to 15.1R7-S9; 17.3 versions prior to 17.3R3-S12; 17.4 versions prior to 17.4R2-S13, 17.4R3-S5; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R2-S8; 19.1 versions prior to 19.1R3-S5; 19.2 versions prior to 19.2R3-S2; 19.3 versions prior to 19.3R2-S6, 19.3R3-S2; 19.4 versions prior to 19.4R1-S4, 19.4R2-S4, 19.4R3; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R2; 20.3 versions prior to 20.3R2. Juniper Networks Junos OS Evolved versions prior to 20.3R2-EVO. This issue does not affect Juniper Networks Junos OS versions prior to 13.2R1.
References: [CVE-2021-0291]

IANA registered for: AgentX
 707 tcp,udp borland-dsj not scanned Backdoor.Win32.BO2K.09.b / Unauthenticated Remote Command Execution - backdoor BO2K.09.b listens on TCP ports 707 and 808. Third party adversarys who can reach the system, can execute any command on the infected host using sockets or get a remote shell using telnet, curl etc.
References: [MVID-2021-0120]

Borland DSJ (IANA official)
 709 tcp,udp entrust-kmsh not scanned Entrust Key Management Service Handler (IANA official)

Vulnerabilities listed: 100 (some use multiple ports)
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About