| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 8083 |
tcp,udp |
applications |
not scanned |
vCenter Server Internal Service Diagnostics use ports 8083,8085,8086,8087/tcp
ShowOff! 1.5.4 allows remote attackers to cause a denial of service (server crash) via a malformed request to port 8083.
References: [CVE-2005-1572], [BID-13598]
Utilistor Server (IANA official) |
| 8084 |
tcp |
websnp |
not scanned |
Apache Tomcat server (Netbeans JSP servlets)
IBM Lotus Sametime server uses this port. To allow internal users to participate in interactive audio/video meetings with users from the Internet, you must either open TCP port 8084 (the default TCP Tunneling port for the Audio/Video Services) or a range of UDP ports through the internal firewall.
Snarl Network Protocol over HTTP (IANA official) |
| 8085 |
tcp |
wiki service |
Members scan |
DSL CPE Management (Used by British Telecom, KPN Netherlands, etc. for ADSL modem communication)
Wiki service (Mac OS X Server v10.5 and later)
inSpeak Communicator uses port 8085 (TCP/UDP)
vCenter Server Internal Service Diagnostics use ports 8083,8085,8086,8087/tcp
Siemens Openstage and Gigaset phones use the following ports:
389/tcp LDAP
636/tcp LDAPS
5010/tcp - RTP
5060/tcp - SIP gateway, backup proxy
8085/tcp - DLS
18443/TCP and 18444/TCP - provisioning over TLS (HTTPS)
Grundig Smart Inter@ctive TV 3.0 devices allow CSRF attacks via a POST request to TCP port 8085 containing a predictable ID value, as demonstrated by a /sendrcpackage?keyid=-2544&keysymbol=-4081 request to shut off the device.
References: [CVE-2018-13989], [EDB-45022] |
| 8086 |
tcp |
wiki service |
not scanned |
Wiki service (Mac OS X Server v10.5 and later)
HELM Web Host Automation Windows Control Panel
Kaspersky AV Control Center
vCenter Server Internal Service Diagnostics use ports 8083,8085,8086,8087/tcp
XMMS.pm in X2 XMMS Remote, as obtained from the vendor server between 4 AM 11 AM PST on May 7, 2003, allows remote attackers to execute arbitrary commands via shell metacharacters in a request to TCP port 8086.
References: [CVE-2003-1128], [BID-7534]
IANA registered for: Distributed SCADA Networking Rendezvous Port (TCP/UDP) |
| 8087 |
tcp |
wiki service |
not scanned |
Wiki service (Mac OS X Server v10.5 and later)
Hosting Accelerator Control Panel, Parallels Plesk Control Panel
vCenter Server Internal Service Diagnostics use ports 8083,8085,8086,8087/tcp
ABB PCU400 contains a vulnerability which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The ABB PCU400 application serves as a communication gateway between RTUs that use the IEC-870-5-104 protocol and the SCADA server. The diagnostic web application contains a software flaw which allows an attacker to gain full access on the PCU400 server by sending a specially crafted packet to the X87 web interface on TCP port 8087.
References: [CVE-2008-2474], [BID-31391]
IANA registered for: Simplify Media SPP Protocol (TCP/UDP) |
| 8087 |
udp |
applications |
not scanned |
Kaspersky AV Control Center |
| 8088 |
tcp |
apple |
not scanned |
Software update (Mac OS X Server v10.4 and later)
Asterisk (PBX) Web Configuration utility (GUI Addon)
IANA registered for: Radan HTTP (TCP/UDP) |
| 8088 |
udp |
games |
not scanned |
Lord of the Rings: Battle for Middle Earth uses ports 8088-28088 |
| 8089 |
tcp |
web email rules |
not scanned |
Web email rules (Mac OS X Server v10.6 and later), Fritz!Box automatic TR-069 configuration
Splunk (big data analysis software) uses the following ports by default:
514 - network input port
8000 - web port (clients accessing the Splunk search page)
8080 - index replication port
8089 - management port (splunkd, aslo used by deployment server)
9997 - indexing port (web interface)
9998 - SSL port
CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration."
References: [CVE-2021-3122] |
| 8090 |
tcp |
http_alt_alt |
Premium scan |
Another HTTP Alternate (http_alt_alt)used as an alternative to port 8080.
Applications using this port: WebcamXP, Atlassian Confluence, Matrix identity server, Coral Content Distribution Network
Trojans that use this port: Aphex's Remote Packet Sniffer (Asniffer)
Trojan.Heloag [Symantec-2010-041512-2356-99] (2010.04.15) - a trojan horse that opens a back door and may download more files on to the compromised computer
EMC Data Protection Advisor could allow a remote attacker to execute arbitrary code on the system, caused by an error in the exposed EJBInvokerServlet servlet within the DPA_Illuminator.exe service. By sending a specially-crafted object to TCP ports 8090 or 8453, an attacker could exploit this vulnerability to execute arbitrary code NT AUTHORITY\SYSTEM privileges.
References: [XFDB-89534], [EDB-30211]
Vivint SkyControl Panel could allow a remote attacker to bypass security restrictions, caused by the failure to restrict access permissions in Web interface. By sending a specially-crafted request, an attacker could exploit this vulnerability using port 8090 to bypass access restrictions and modify security settings.
References: [CVE-2014-8362], [XFDB-111196]
Siemens SPPA-T3000 Application Server could allow a remote attacker to obtain sensitive information, caused by improper access control. By sending specially-crafted packets to 8090/tcp, an attacker could exploit this vulnerability to obtain filenames information, and use this information to launch further attacks against the affected system.
References: [CVE-2019-18333], [CVE-2019-18334], [XFDB-173119], [XFDB-173120]
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flipping the readiness endpoint to false, which removes Envoy from the routing pool. When running Envoy (For example on the host network, pod spec hostNetwork=true), the shutdown manager's endpoint is accessible to anyone on the network that can reach the Kubernetes node that's running Envoy. There is no authentication in place that prevents a rogue actor on the network from shutting down Envoy via the shutdown manager endpoint. Successful exploitation of this issue will lead to bad actors shutting down all instances of Envoy, essentially killing the entire ingress data plane. This is fixed in version 1.7.0.
References: [CVE-2020-15127]
IANA registered for: Vehicle to station messaging |
| 8091 |
tcp |
couchbase |
not scanned |
Couchbase Server (open source NoSQL document-oriented database) uses port 8091 for administration, and port 8092 as an API port.
An issue was discovered in Couchbase Server. Authenticated users can send arbitrary Erlang code to the 'diag/eval' endpoint of the REST API (available by default on TCP/8091 and/or TCP/18091). The executed code in the underlying operating system will run with the privileges of the user running Couchbase server.
References: [CVE-2018-15728], [BID-105157]
Jam Link Framework |
| 8092 |
tcp |
couchbase |
not scanned |
Couchbase Server (open source NoSQL document-oriented database) uses port 8091 for administration, and port 8092 as an API port. |
| 8093 |
tcp |
applications |
not scanned |
Couchbase Server 7.1.x and 7.2.x before 7.2.4 does not require authentication for the /admin/stats and /admin/vitals endpoints on TCP port 8093 of localhost.
References: [CVE-2023-49338] |
| 8094 |
tcp,udp |
applications |
not scanned |
In Flexense DiskBoss Enterprise 8.5.12, the Control Protocol suffers from a denial of service vulnerability. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 8094.
References: [CVE-2017-15665], [EDB-43454] |
| 8096 |
tcp |
web password reset |
not scanned |
Web password reset (Mac OS X Server v10.6.3 and later)
Emby and Jellyfin HTTP port
The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the integration API service port is disabled and is considered disabled when integration.api.port is set to 0 or negative. Due to an improper initialisation logic, the integration API service would listen on a random port when its port value is set to 0 (default value). An attacker that can access the CloudStack management network could scan and find the randomised integration API service port and exploit it to perform unauthorised administrative actions and perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure. Users are recommended to restrict the network access on the CloudStack management server hosts to only essential ports. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue.
References: [CVE-2024-39864] |
| 8097 |
tcp |
trojan |
Premium scan |
Kryptonic Ghost Command Pro |
| 8100 |
tcp |
trojan |
Premium scan |
Console Gateway License Verification
Back streets trojan
BlueMap, a 3D Minecraft web viewer and mapping tool
Xprint Server (TCP/UDP) (IANA official) |
| 8101 |
tcp |
ldoms-migr |
not scanned |
SmartPTT SCADA 1.1.0.0 allows remote code execution (when the attacker has administrator privileges) by writing a malicious C# script and executing it on the server (via server settings in the administrator control panel on port 8101, by default).
References: [CVE-2023-30459]
Logical Domains Migration (IANA official) |
| 8102 |
tcp |
kz-migr |
not scanned |
IANA registered for: Oracle Kernel zones migration server |
| 8110 |
tcp |
trojans |
Premium scan |
DLP, LoseLove |
| 8111 |
tcp |
malware |
Premium scan |
Warthunder (WWII vehicular combat MMO) video game uses port 8111
Malware that uses this port:D LP, LoseLove
JOSM Remote Control
W32.Eboscro [Symantec-2006-110422-1903-99] (2006.11.04) - a worm that copies itself to removable drives, opens a back door, and lowers security settings on the compromised computer. |
| 8111 |
udp |
skynetflow |
not scanned |
IANA registered for: Skynetflow network services |
| 8116 |
tcp,udp |
cp-cluster |
not scanned |
Revo DVRNS
IANA registered for: Check Point Clustering |
| 8117 |
tcp |
purityrpc |
not scanned |
IANA registered for: clustering and remote management |
| 8118 |
tcp,udp |
privoxy |
not scanned |
adbyby v2.7 allows external users to make connections via port 8118. This can cause a program logic error and lead to a Denial of Service (DoS) via high CPU usage due to a large number of connections.
References: [CVE-2022-29767]
Privoxy HTTP proxy (IANA official) |
| 8123 |
tcp |
vipre |
Premium scan |
BURST Reference Software uses TCP ports 8123 (p2p), 8124 (standard mining pool port), 8125 (web interface)
ClickHouse Analytics DB (open source big data) uses TCP port 8123 for its HTTP interface.
Home Assistant (massive open source home automation project) uses port 8123 for WebUI. See: home-assistant.io/hassio/
Minecraft default dynmap mappiing port
Polipo open source web proxy, Bukkit DynMap Default Webserver Bind Address
VIPRE Business Security uses the following TCP ports: 8123, 18082, 18086, 18090. It may also communicate through TCP ports 135, 139, 445.
|
| 8124 |
tcp |
applications |
not scanned |
BURST Reference Software uses TCP ports 8123 (p2p), 8124 (standard mining pool port), 8125 (web interface) |
| 8125 |
tcp |
applications |
not scanned |
BURST Reference Software uses TCP ports 8123 (p2p), 8124 (standard mining pool port), 8125 (web interface)
StatsD server |
| 8126 |
tcp |
trojans |
Members scan |
W32.Pejaybot [Symantec-2005-011415-1848-99] (2005.01.14) - worm that spreads via file sharing networks. Connects to an IRC server and opens a backdoor on port 8126.
W32.Kelvir.Q [Symantec-2005-041213-2840-99] (2005.04.12) - worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm [Symantec-2003-053013-5943-99]. Connects to an IRC server on port 8126/tcp. |
| 8127 |
tcp,udp |
trojans |
not scanned |
9_119, Chonker |
| 8128 |
tcp,udp |
paycash-online |
not scanned |
PayCash Online Protocol [MegaZone] (IANA official) |
| 8129 |
tcp,udp |
paycash-wbp |
not scanned |
PayCash Wallet-Browser [MegaZone] (IANA official) |
| 8130 |
tcp |
trojans |
Premium scan |
9_119, Chonker, DLP
WellinTech KingSCADA before 3.1.2, KingAlarm&Event before 3.1, and KingGraphic before 3.1.2 perform authentication on the KAEClientManager console rather than on the server, which allows remote attackers to bypass intended access restrictions and discover credentials via a crafted packet to TCP port 8130.
References: [CVE-2013-2826] [XFDB-90513] |
| 8130 |
udp |
malware |
not scanned |
Backdoor.Win32.Loselove / Denial of Service - the malware listens on UDP ports 9329, 8329, 8322, 8131 and 8130. Attackers can send a large junk payload to UDP port 8131 causing it to crash.
References: [MVID-2022-0554] |
| 8131 |
tcp |
trojan |
Premium scan |
DLP trojan |
| 8131 |
udp |
malware |
not scanned |
Backdoor.Win32.Loselove / Denial of Service - the malware listens on UDP ports 9329, 8329, 8322, 8131 and 8130. Attackers can send a large junk payload to UDP port 8131 causing it to crash.
References: [MVID-2022-0554] |
| 8139 |
tcp |
applications |
not scanned |
Puppet (software) Client agent |
| 8140 |
tcp |
applications |
not scanned |
Puppet (software) Master server |
| 8143 |
tcp,udp |
applications |
not scanned |
ImapProxy, SCO SSH Tunneling |
| 8149 |
udp |
eor-game |
not scanned |
IANA registered for: Edge of Reality game data |
| 8153 |
tcp |
quantastor |
not scanned |
QuantaStor Management Interface [OS NEXUS] (IANA official) |
| 8162 |
tcp |
lpar2rrd |
not scanned |
IANA registered for: LPAR2RRD client server communication |
| 8170 |
tcp |
https |
not scanned |
Podcast Capture/podcast CLI |
| 8171 |
tcp |
https |
not scanned |
Podcast Capture/podcast CLI |
| 8172 |
tcp |
applications |
Premium scan |
Microsoft Remote Administration for IIS Manager
W32.Zotob.K trojan [Symantec-2005-082415-0814-99] exploits Windows vulnerabilities on port 445, opens UDP port 69 for TFTP, listens to TCP ports 6664 and 8172. |
| 8173 |
tcp |
trojans |
Premium scan |
Backdoor.Zebroxy [Symantec-2003-082113-3132-99] (2003.08.21) - a trojan horse that opens port 8173 and runs as a proxy server under Windows 2000/XP.
Port also used by: Y-cam Wireless IP Camera |
| 8175 |
tcp |
pcast tunnel |
not scanned |
Apple pcastagentd (for control operations, camera and so on) |
| 8181 |
tcp |
trojans |
Members scan |
W32.Erkez.D@mm [Symantec-2004-121413-4703-99] (2004.12.14) - mass mailing worm that can terminate processes, lower security settings, and allow remote access to the compromised computer. Opens a backdoor and listens for remote commands on port 8181/tcp.
Backdoor.Shangxing [Symantec-2007-030516-4150-99] (2007.03.06) also uses this port.
The Web Administrator service (STEMWADM.EXE) in Websense Personal Email Manager 7.1 before Hotfix 4 and Email Security 7.1 before Hotfix 4 allows remote attackers to cause a denial of service (crash) by sending a HTTP GET request to TCP port 8181 and closing the socket before the service can send a response.
References: [CVE-2009-3749], [BID-36740]
IPSwitch IMail is an e-mail server which provides WWW (HTTP) E-mail services. By default this web service resides on port 8181 (TCP/UDP) or 8383 (TCP/UDP). Sending an HTTP request with an extremely long "HOST" field multiple times can cause the system hosting the service to become unresponsive. Each long request "kills" a thread without freeing up the memory used by it. By repeating this request, the system's resources can be used up completely.
References: [BID-2011]
TerraMaster F2-210 devices through 2021-04-03 use UPnP to make the admin web server accessible over the Internet on TCP port 8181, which is arguably inconsistent with the "It is only available on the local network" documentation. NOTE: manually editing /etc/upnp.json provides a partial but undocumented workaround.
References: [CVE-2021-30127]
Intermapper network management system (IANA official) |
| 8182 |
tcp |
applications |
not scanned |
SQL servers
Port is IANA registered for VMware Fault Domain Manager (TCP/UDP). |
| 8183 |
tcp |
proremote |
not scanned |
ProRemote |
| 8184 |
tcp,udp |
itach |
not scanned |
Remote iTach Connection |
| 8188 |
tcp |
applications |
not scanned |
ComfyUI Web Interface |
| 8190 |
tcp |
iot |
Members scan |
Veeam Backup and replication suite uses these ports, in addition to common 80, 443, etc.:
6160 TCP - Veeam installer service
6165 TCP - WAN accelerator
6180 TCP/UDP - Veeam cloud gateway
6169, 8190, 8191 TCP - used by SP backup server
10003 TCP - communication with Veeam backup service
Port used by: Ecobee thermostats, Y-cam Wireless IP Cameras
W32.Reatle.E@mm [Symantec-2005-080215-5809-99] (2005.08.02) - a mass-mailing worm that opens a backdoor and also spreads by exploiting the MS LSASS Buffer Overrun Vulnerability ([MS04-011]). Opens backdoors on ports 3351/tcp and 8190/tcp.
Multiple stack-based buffer overflows in Medicomp MEDCIN Engine 2.22.20142.166 might allow remote attackers to execute arbitrary code via a crafted packet on port 8190, related to (1) the GetProperty info_getproperty function and (2) the GetProperty UdfCodeList function.
References: [CVE-2015-2901]
Heap-based buffer overflow in the QualifierList retrieve_qualifier_list function in Medicomp MEDCIN Engine before 2.22.20153.226 might allow remote attackers to execute arbitrary code via a long list name in a packet on port 8190.
References: [CVE-2015-2899]
Multiple stack-based buffer overflows in Medicomp MEDCIN Engine before 2.22.20153.226 might allow remote attackers to execute arbitrary code via a crafted packet on port 8190, related to (1) the SetGroupSequenceEx na_setgroupsequenceex function, (2) the FormatDate julptostr function, and (3) the UserFindingCodes addtocl function.
References: [CVE-2015-2898]
IANA registered for: Generic control plane for RPHY |
| 8191 |
tcp |
limnerpressure |
not scanned |
Veeam Backup and replication suite uses these ports, in addition to common 80, 443, etc.:
6160 TCP - Veeam installer service
6165 TCP - WAN accelerator
6180 TCP/UDP - Veeam cloud gateway
6169, 8190, 8191 TCP - used by SP backup server
10003 TCP - communication with Veeam backup service
Limner Pressure - a pressure sensitive tablet apllication for Mac and iPad (IANA official) |
| 8192 |
tcp,udp |
applications |
not scanned |
Sophos Remote Management System, SnapStream PVS, SpyTech Phone Service, Y-cam Wireless IP Camera use this port. |
| 8193 |
tcp,udp |
applications |
not scanned |
Sophos Remote Management System, Y-cam Wireless IP Camera |
| 8194 |
tcp,udp |
applications |
not scanned |
Sophos Remote Management System, Bloomberg data API, Y-cam Wireless IP Camera use this port. |
| 8195 |
tcp |
blp2 |
not scanned |
Bloomberg feed |
| 8198 |
tcp |
applications |
not scanned |
Sophos Antivirus, Y-cam Wireless IP Camera |
| 8199 |
tcp |
applications |
not scanned |
Citrix AppDNA Server uses port 8199 for HTTP connections between AppDNA and IIS.
Y-cam Wireless IP Camera
The administrative service in Symantec Veritas Volume Replicator (VVR) for Windows and VVR for Unix, in Symantec Storage Foundation products allows remote attackers to cause a denial of service (memory consumption and service crash) via a crafted packet to the service port (8199/tcp) that triggers a request for more memory than available, which causes the service to write to an invalid pointer.
References: [CVE-2007-1593], [BID-24160]
Port is also IANA registered for VVR data. |
| 8200 |
tcp,udp |
applications |
not scanned |
Duplicati web server (open source remote backup solution)
Revo DVRNS
GoToMyPC
GoToMeeting, also Citrix workstation GoToMeeting service broker
MiniDLNA media server Web Interface
Backdoor.Win32.Hupigon.aaio / Remote Stack Buffer Overflow - the malware listens on TCP ports 8200,8201,8202,8203 and UDP ports 8200,8204. Third-party attackers who can reach an infected host can trigger a classic remote buffer overflow by sending a large payload to TCP port 8202. This will overwrite the ECX and EIP stack registers and structured exception handler (SEH).
References: [MVID-2021-0255]
TRIVNET (IANA official) |
| 8201 |
tcp,udp |
trivnet2 |
not scanned |
Backdoor.Win32.Hupigon.aaio / Remote Stack Buffer Overflow - the malware listens on TCP ports 8200,8201,8202,8203 and UDP ports 8200,8204. Third-party attackers who can reach an infected host can trigger a classic remote buffer overflow by sending a large payload to TCP port 8202. This will overwrite the ECX and EIP stack registers and structured exception handler (SEH).
References: [MVID-2021-0255]
TRIVNET (IANA official) |
| 8202 |
udp |
aesop |
not scanned |
Audio+Ethernet Standard Open Protocol [POWERSOFT SRL] (IANA official) |
| 8202 |
tcp |
malware |
not scanned |
Backdoor.Win32.Hupigon.aaio / Remote Stack Buffer Overflow - the malware listens on TCP ports 8200,8201,8202,8203 and UDP ports 8200,8204. Third-party attackers who can reach an infected host can trigger a classic remote buffer overflow by sending a large payload to TCP port 8202. This will overwrite the ECX and EIP stack registers and structured exception handler (SEH).
References: [MVID-2021-0255] |
| 8203 |
tcp |
worm |
not scanned |
W32.Neeris.B [Symantec-2007-091303-4952-99] (2007.09.12) - a worm that spreads through MSN instant messaging applications. It also opens a back door on the compromised computer.
Backdoor.Win32.Hupigon.aaio / Remote Stack Buffer Overflow - the malware listens on TCP ports 8200,8201,8202,8203 and UDP ports 8200,8204. Third-party attackers who can reach an infected host can trigger a classic remote buffer overflow by sending a large payload to TCP port 8202. This will overwrite the ECX and EIP stack registers and structured exception handler (SEH).
References: [MVID-2021-0255] |
| 8204 |
tcp,udp |
lm-perfworks |
not scanned |
Backdoor.Win32.Hupigon.aaio / Remote Stack Buffer Overflow - the malware listens on TCP ports 8200,8201,8202,8203 and UDP ports 8200,8204. Third-party attackers who can reach an infected host can trigger a classic remote buffer overflow by sending a large payload to TCP port 8202. This will overwrite the ECX and EIP stack registers and structured exception handler (SEH).
References: [MVID-2021-0255]
LM Perfworks (IANA official) |
| 8211 |
tcp |
applications |
not scanned |
Dealing Office Server
Palworld Server
Y-cam Wireless IP Camera
|
| 8211 |
udp |
aruba-papi |
not scanned |
There are multiple buffer overflow vulnerabilities that could lead to unauthenticated remote code execution by sending especially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211) of access-points or controllers in Aruba 9000 Gateway; Aruba 7000 Series Mobility Controllers; Aruba 7200 Series Mobility Controllers version(s): 2.1.0.1, 2.2.0.0 and below; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below.
References: [CVE-2020-24633]
An attacker is able to remotely inject arbitrary commands by sending especially crafted packets destined to the PAPI (Aruba Networks AP Management protocol) UDP port (8211) of access-pointsor controllers in Aruba 9000 Gateway; Aruba 7000 Series Mobility Controllers; Aruba 7200 Series Mobility Controllers version(s): 2.1.0.1, 2.2.0.0 and below; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below ; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below.
References: [CVE-2020-24634]
There is a command injection vulnerability that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.
References: [CVE-2022-37897]
There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system of Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5.4.23 and below; Aruba InstantOS 8.6.x: 8.6.0.18 and below; Aruba InstantOS 8.7.x: 8.7.1.9 and below; Aruba InstantOS 8.10.x: 8.10.0.1 and below; ArubaOS 10.3.x: 10.3.1.0 and below; Aruba has released upgrades for Aruba InnstantOS that address these security vulnerabilities.
References: [CVE-2022-37885], [CVE-2022-37886], [CVE-2022-37887], [CVE-2022-37888], [CVE-2022-37889]
There is a buffer overflow vulnerability in the underlying AirWave client service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.
References: [CVE-2023-45614], [CVE-2023-45615], [CVE-2023-45616]
Unauthenticated Command Injection Vulnerability in the CLI Service Accessed by the PAPI Protocol. Command injection vulnerability in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.
References: [CVE-2024-47460]
Aruba Networks AP management (IANA official) |
| 8212 |
tcp,udp |
|
not scanned |
Palworld Server REST API |
| 8222 |
tcp |
applications |
not scanned |
VMWare, Y-cam Wireless IP Camera |
| 8225 |
tcp |
applications |
not scanned |
IP/IPX gateway for Novell BorderManager 3.6 SP 1a allows remote attackers to cause a denial of service via a connection to port 8225 with a large amount of random data, which causes ipipxgw.nlm to ABEND.
References: [CVE-2002-0780], [BID-4697] |
| 8231 |
udp |
hncp-udp-port |
not scanned |
IANA registered for: HNCP |
| 8232 |
udp |
hncp-dtls-port |
not scanned |
IANA registered for: HNCP over DTLS |
| 8236 |
tcp,udp |
applications |
not scanned |
jRCS listener for Rocket Software jBASE Remote Connectivity Server |
| 8243 |
tcp,udp |
synapse-nhttps |
not scanned |
Synapse Non Blocking HTTPS, HTTPS listener for Apache Synapse, Y-cam Wireless IP Camera |
| 8245 |
tcp |
applications |
not scanned |
No-IP, DynDNS, Y-cam Wireless IP Camera use this port. |
| 8257 |
tcp |
applications |
not scanned |
Papenmeier WiFi Baby Monitor Free & Lite before 2.02.2 allows remote attackers to obtain audio data via certain requests to TCP ports 8258 and 8257.
References: [CVE-2018-7661], [EDB-442322]
|
| 8258 |
tcp |
applications |
not scanned |
Papenmeier WiFi Baby Monitor Free & Lite before 2.02.2 allows remote attackers to obtain audio data via certain requests to TCP ports 8258 and 8257.
References: [CVE-2018-7661], [EDB-442322] |
| 8270 |
tcp |
robot-remote |
not scanned |
IANA registered for: Robot Framework Remote Library Interface |
| 8276 |
tcp,udp |
ms-mcc |
not scanned |
Microsoft Connected Cache (IANA official) |
| 8280 |
tcp,udp |
synapse |
not scanned |
Apache Synapse, Y-cam Wireless IP Camera use this port. |
| 8282 |
tcp |
applications |
not scanned |
Y-cam Wireless IP Camera, SAS Server, CS Intranet use this port.
IANA registered for: Libelle EnterpriseBus |
| 8282 |
udp |
libelle-disc |
not scanned |
IANA registered for: Libelle EnterpriseBus discovery |
| 8284 |
tcp |
citrix |
not scanned |
Citrix Workspace Environment Management (WEM) uses these ports:
8284,8285,8286,8287 TCP - agent and administration console connections
49752 TCP - agent listening port
7279,27000 TCP - Citrix license server ports |
| 8285 |
tcp |
citrix |
not scanned |
Citrix Workspace Environment Management (WEM) uses these ports:
8284,8285,8286,8287 TCP - agent and administration console connections
49752 TCP - agent listening port
7279,27000 TCP - Citrix license server ports |
| 8286 |
tcp |
citrix |
not scanned |
Citrix Workspace Environment Management (WEM) uses these ports:
8284,8285,8286,8287 TCP - agent and administration console connections
49752 TCP - agent listening port
7279,27000 TCP - Citrix license server ports |
| 8287 |
tcp |
citrix |
not scanned |
Citrix Workspace Environment Management (WEM) uses these ports:
8284,8285,8286,8287 TCP - agent and administration console connections
49752 TCP - agent listening port
7279,27000 TCP - Citrix license server ports |
| 8291 |
tcp |
mikrotik |
not scanned |
MikroTik RouterOS uses the following ports:
5678/udp - Mikrotik Neighbor Discovery Protocol
6343/tcp - Default OpenFlow port
8080/tcp - HTTP Web Proxy
8291/tcp - Winbox GUI
8728/tcp - API
8729/tcp - API-SSL
20561/udp - MAC Winbox GUI
RouterOS versions 6.45.6 Stable, 6.44.5 Long-term, and below allow remote unauthenticated attackers to trigger DNS queries via port 8291. The queries are sent from the router to a server of the attacker's choice. The DNS responses are cached by the router, potentially resulting in cache poisoning.
References: [CVE-2019-3978], [XFDB-170447] |
| 8293 |
tcp |
hiperscan-id |
not scanned |
Hiperscan Identification Service |
| 8300 |
tcp |
applications |
not scanned |
Messenger Agents (nmma.exe) in Novell GroupWise allow remote attackers to cause a denial of service (crash) via a crafted HTTP POST request to TCP port 8300 with a modified val parameter, which triggers a null dereference related to "zero-size strings in blowfish routines."
References: [CVE-2006-4511], [BID-20316]
Port is also IANA registered for Transport Management Interface |
| 8301 |
tcp |
amberon |
Premium scan |
Hashicorp Consul (network service discovery platform)
Y-cam Wireless IP Camera
Trojans using this port: DLP, LoseLove
Amberon PPC/PPS (IANA official) |
| 8302 |
tcp |
trojans |
Premium scan |
DLP, LoseLove |
| 8303 |
udp |
applications |
not scanned |
Teeworlds Server |
| 8311 |
tcp |
trojan |
Premium scan |
Backdoor.Mxsender [Symantec-2003-101014-4332-99] (2003.10.10) - a backdoor trojan horse that gives an attacker unauthorized access to a compromised computer. It connects to port 8311 of the predetermined servers and waits for commands from its author.
SweetHeart trojan |
| 8313 |
tcp |
hub-open-net |
not scanned |
Hub Open Network [Grexie] (IANA official) |
| 8322 |
tcp |
trojan |
Premium scan |
DLP trojan
Garmin Marine (TCP/UDP) (IANA official) |
| 8322 |
udp |
malware |
not scanned |
Backdoor.Win32.Loselove / Denial of Service - the malware listens on UDP ports 9329, 8329, 8322, 8131 and 8130. Attackers can send a large junk payload to UDP port 8131 causing it to crash.
References: [MVID-2022-0554] |
| 8324 |
tcp |
plex |
not scanned |
Plex Media Server uses port 8324 TCP locally for controlling Plex for Roku via Plex Companion. |
| 8329 |
tcp |
trojan |
Premium scan |
DLP trojan |
| 8329 |
udp |
malware |
not scanned |
Backdoor.Win32.Loselove / Denial of Service - the malware listens on UDP ports 9329, 8329, 8322, 8131 and 8130. Attackers can send a large junk payload to UDP port 8131 causing it to crash.
References: [MVID-2022-0554] |
