Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 13111 |
tcp |
ksnproxy |
not scanned |
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
|
| 13131 |
tcp |
qnap |
not scanned |
QNAP NAS uses the following ports:
Web server: 80,8081 TCP and 443,8080 TCP (web admin)
FTP/SFTP/SSH: 20,21,22 TCP and 13131 TCP (telnet)
Remote Replication: 873,8899 TCP
VPN server: 1723 TCP (PPTP), 1194 UDP (OpenVPN)
CloudLink: port 20001 UDP (optional, only required for access without manual port forwarding)
|
| 13137 |
tcp |
malware |
not scanned |
Backdoor.Win32.Surila.j / Port Bounce Scan - The malware listens on random TCP high port numbers typically
starting with "1" E.g. 12356, 14985, 13850, 19050, 13137. The malware has an FTP component that accepts any username/password credentials. Third-party attackers who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2021-0288]
Backdoor.Win32.Surila.j / Authentication Bypass - The malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050, 13137. Third-party attackers who can reach infected systems can logon using any username/password combination.
References: [MVID-2021-0289] |
| 13139 |
udp |
games |
not scanned |
GameSpy Arcade - Custom UDP Pings, Worms 4 Mayhem
Armies of Exigo also uses this port.
Also uses ports 3783, 6500, 6515 UDP, 6667, 13139 UDP, 27900 UDP, 28900, 29900, 29901 |
| 13173 |
tcp |
trojans |
Premium scan |
Backdoor.Amitis.B [Symantec-2003-051915-1012-99] (2003.05.19) Windows remote access trojan. Listens on ports 3547, 7823, 12345, 13173, 44280, 44390, 47387, 64429. Other variants of Backdoor.Amitis also use ports 27, 551. |
| 13195 |
tcp,udp |
applications |
not scanned |
Ontolux 2D |
| 13200 |
tcp |
applications |
not scanned |
Settlers 7 |
| 13223 |
tcp |
trojan |
Premium scan |
Hackґ99 KeyLogger trojan
PowWow Client also uses this port (TCP/UDP). |
| 13224 |
tcp,udp |
powwow-server |
not scanned |
PowWow |
| 13291 |
tcp |
klserver |
not scanned |
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
|
| 13292 |
tcp |
klserver |
not scanned |
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
|
| 13294 |
tcp |
klserver |
not scanned |
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
|
| 13295 |
tcp |
klserver |
not scanned |
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
|
| 13298 |
tcp,udp |
trojans |
not scanned |
Backdoor.Theef.C [Symantec-2002-120917-1049-99] (2002.12.09) - a backdoor trojan that gives an attacker unauthorized access to an infected computer. By default it opens and listens on port 13298. |
| 13299 |
tcp |
klserver |
not scanned |
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
|
| 13333 |
tcp,udp |
applications |
not scanned |
ValiCert Enterprise Validation Authority (EVA) is vulnerable to several buffer overflows in the forms.exe CGI script that is used by remote users to access the EVA Administration Server. By sending a specially-crafted HTTP POST request to the Administration Server on port 13333, a remote attacker can overflow a buffer and execute arbitrary code on the system with system level privileges.
References: [CVE-2001-0949], [XFDB-7652] |
| 13337 |
tcp,udp |
applications |
not scanned |
EtherNet peer-to-peer networking |
| 13364 |
tcp,udp |
applications |
not scanned |
Edimax IC-3030iWn is prone to an information-disclosure vulnerability.
References: [BID_54006], [EDB-37405] |
| 13370 |
tcp |
trojan |
Premium scan |
SpArTa trojan |
| 13371 |
tcp |
trojan |
Premium scan |
Optix Pro trojan |
| 13392 |
tcp,udp |
skype |
not scanned |
Port sometimes used by Skype VoIP |
| 13400 |
tcp |
doip-data |
not scanned |
IANA registered for: DoIP Data |
| 13400 |
udp |
doip-disc |
not scanned |
IANA registered for: DoIP Discovery |
| 13443 |
tcp,udp |
dogtag |
not scanned |
Dogtag Certificate System authority uses port 9080 (ca) and port 9443 (secure ca) by default.
Dograg Certificate PKI Subsystems may also use:
DRM - ports 10080 (drm) and 10443 (drm secure)
OCSP - ports 11080 (ocsp) and 11443 (ocsp secure)
RA - ports 12888 (ra) and 12889 (ra secure)
TKS - ports 13080 (tks) and 13443 (tks secure)
TPS - ports (tps) 7888 and 7889 (tps secure) |
| 13457 |
tcp,udp |
applications |
not scanned |
BitLord |
| 13468 |
tcp |
trojan |
Premium scan |
W32.Sober.D trojan |
| 13473 |
tcp |
trojan |
Premium scan |
Chupacabra trojan |
| 13500 |
tcp |
trojan |
Premium scan |
Theef trojan
NHL 2003, UEFA EURO 2004, Madden NFL 2006, NBA Live 06 also use this port.
Multiple buffer overflows in Client Software WinCom LPD Total 3.0.2.623 and earlier allow remote attackers to execute arbitrary code via a long 0x02 command to the remote administration service on TCP port 13500 or a long invalid control filename to LPDService.exe on TCP port 515.
References: [CVE-2008-5176], [BID-27614] |
| 13505 |
tcp |
games |
not scanned |
FIFA 2005, Need For Speed Most Wanted, Tiger Woods 2006, The Orange Box, Battlefield: Bad Company 2 |
| 13599 |
tcp |
games |
not scanned |
NBA Live 06 uses ports 13500-13599 |
| 13620 |
tcp |
trojans |
Premium scan |
ZeroAccess/Sirefef trojan rootkit. One botnet uses ports 16464 and 16465 for the 32-bit and 64-bit versions of one botnet; the other botnet uses ports 16470 and 16471. Other variants may also use these ports: 13620, 21315, 21810, 22292 |
| 13655 |
udp |
ransomware |
not scanned |
Sage 2.0 Ransomware uses port 13655 UDP to send out encrypted p2p traffic.
|
| 13700 |
tcp |
trojan |
Premium scan |
Kuang2 The Virus |
| 13701 |
tcp |
applications |
not scanned |
VERITAS NetBackup is vulnerable to a buffer overflow in the Volume Manager service (vmd.exe), caused by improper bounds checking by the sscanf() function. By sending a specially-crafted request to TCP port 13701, a remote attacker could overflow a buffer and execute arbitrary code on an affected system.
References: [CVE-2006-0989], [BID-17264] |
| 13720 |
tcp,udp |
bprd |
not scanned |
BPRD Protocol (VERITAS NetBackup) (IANA official) |
| 13721 |
tcp,udp |
bpdbm |
not scanned |
BPDBM Protocol (VERITAS NetBackup) (IANA official) |
| 13722 |
tcp,udp |
veritas |
not scanned |
Port used by Veritas PBX (Private Branch Exchange) Service
Veritas uses the following ports:
1556 - Veritas PBX Service
2821 - VxSS Authentication Service
4032 - VxSS Authorization Service
13724 - Veritas NetBackup Network Service
13783 - nbatd
13722 - nbazd
VERITAS NetBackup is vulnerable to a format string attack caused by a vulnerability in the COMMAND_LOGON_TO_MSERVER command in the bpjava-msvc. A remote attacker could send a specially-crafted request to the Java authentication service running on TCP port 13722 to cause an overflow and execute arbitrary code on the victim's system.
References: [CVE-2005-2715]
Port is also IANA registered for BP Java MSVC Protocol |
| 13724 |
tcp |
applications |
not scanned |
Port used by Veritas PBX (Private Branch Exchange) Service
Veritas uses the following ports:
1556 - Veritas PBX Service
2821 - VxSS Authentication Service
4032 - VxSS Authorization Service
13724 - Veritas NetBackup Network Service
13783 - nbatd
13722 - nbazd
Buffer overflow in the NetBackup Sharepoint Services server daemon (bpspsserver) on NetBackup 6.0 for Windows allows remote attackers to execute arbitrary code via crafted "Request Service" packets to the vnetd service (TCP port 13724).
References: [CVE-2006-0991], [BID-17264]
Port is IANA registered for Veritas Network Utility |
| 13753 |
tcp |
trojan |
Premium scan |
Anal FTP trojan |
| 13782 |
tcp,udp |
bpcd |
not scanned |
VERITAS NetBackup (IANA official) |
| 13783 |
tcp |
vopied |
not scanned |
Symantec VOPIED protocol (formerly VERITAS)
Veritas PBX (Private Branch Exchange) Service uses the following ports:
1556 - Veritas PBX Service
2821 - VxSS Authentication Service
4032 - VxSS Authorization Service
13724 - Veritas NetBackup Network Service
13783 - nbatd
13722 - nbazd
|
| 13785 |
tcp,udp |
nbdb |
not scanned |
NetBackup Database (IANA official) |
| 13786 |
tcp,udp |
nomdb |
not scanned |
Veritas-nomdb (IANA official) |
| 13823 |
tcp |
bmdss |
not scanned |
IANA registered for: Blackmagic Design Streaming Server |
| 13832 |
tcp |
a-trust-rpc |
not scanned |
Certificate Management and Issuing (IANA official) |
| 13838 |
tcp |
applications |
not scanned |
hydra.exe in HP SAN/iQ before 9.5 on the HP Virtual SAN Appliance has a hardcoded password of L0CAlu53R for the global$agent account, which allows remote attackers to obtain access to a management service via a login: request to TCP port 13838.
References: [CVE-2012-4362]
HP LeftHand Virtual SAN Appliance is vulnerable to a stack-based buffer overflow in the LHNSessionManager component of the hydra service. By sending an overly long username to the hydra service listening on TCP port 13838, a remote attacker could overflow a buffer and execute arbitrary code on the system with root privileges.
References: [XFDB-85355], [CVE-2013-2343], [BID-60884] |
| 13850 |
tcp |
malware |
not scanned |
Backdoor.Win32.Surila.j / Port Bounce Scan - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050, 13137. The malware has an FTP component that accepts any username/password credentials. Third-party attackers who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2021-0288]
Backdoor.Win32.Surila.j / Authentication Bypass - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050, 13137. Third-party attackers who can reach infected systems can logon using any username/password combination.
References: [MVID-2021-0289]
Backdoor.Win32.Surila.j / Remote Denial of Service - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050. Third-party attackers who can reach infected systems can logon using any username/password combination. Supplying a long string of characters for the FTP PORT command argument results in access violation and crash.
References: [MVID-2021-0290] |
| 13894 |
tcp,udp |
ucontrol |
not scanned |
Ultimate Control communication protocol [NEGU Soft] (IANA official) |
| 14000 |
udp |
applications |
not scanned |
Osagent.exe in Borland VisiBroker Smart Agent 08.00.00.C1.03 and earlier allows remote attackers to cause a denial of service (crash) via a crafted packet with a large string length value to UDP port 14000, which triggers a memory allocation failure that is not properly handled.
References: [CVE-2008-7127], [BID-28084]
Integer overflow in osagent.exe in Borland VisiBroker Smart Agent 08.00.00.C1.03 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet with a large string length value to UDP port 14000, which triggers a heap-based buffer overflow.
References: [CVE-2008-7126] [BID-28084] [SECUNIA-29213] [OSVDB-43057]
SCOTTY High-Speed Filetransfer (IANA official) |
| 14000 |
tcp |
applications |
Premium scan |
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
The Data Archiver service in GE Intelligent Platforms Proficy Historian 4.5 and earlier allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted session on TCP port 14000 to (1) ihDataArchiver.exe or (2) ihDataArchiver_x64.exe.
References: [CVE-2012-0229] |
| 14001 |
tcp,sctp |
sua |
not scanned |
SUA |
| 14002 |
tcp,udp |
scotty |
not scanned |
Tanne Daemon (tcp)
Discovery of a SCOTTY hardware codec board - Scotty Group SE (IANA official, udp) |
| 14010 |
tcp,udp |
applications |
not scanned |
Market Analyst Software |
| 14012 |
tcp |
worm |
not scanned |
W32.Remadworm [Symantec-2007-032608-5713-99] (2007.03.26) - a worm that spreads through removable media and may connect to a potentially malicious Web site or open a back door on the compromised computer. |
| 14013 |
tcp |
router |
not scanned |
AVM FRITZ!Box (any model) Child Protection (Kindersicherung) service port scan |
| 14100 |
tcp |
trojan |
Premium scan |
Trojan.Eurosol [Symantec-2001-052113-1339-99]
Trojan-Spy.Win32.Xspyout.a / Unauthenticated Open Proxy - the malware listens on TCP port 14100. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
References: [MVID-2021-0268] |
| 14143 |
tcp |
icpps |
not scanned |
IANA registered for: IceWall Cert Protocol over TLS |
| 14147 |
tcp,udp |
applications |
not scanned |
FileZilla Server admin port |
| 14194 |
tcp |
trojan |
Premium scan |
CyberSpy trojan |
| 14200 |
tcp |
games |
not scanned |
America's Army |
| 14223 |
tcp |
malware |
not scanned |
Backdoor.Win32.Agent.ggw / Authentication Bypass - the malware runs a built-in FTP server listening on one of several random TCP ports like 32335, 27227, 27942, 14223, 14988, 11092. Third-party attackers who can reach the server and that know or guess the port can "logon" using any USER/PASS combination or provide no credentials at all.
References: [MVID-2021-0193] |
| 14237 |
tcp |
palm-hotsync |
not scanned |
Palm Computing Network Hotsync |
| 14238 |
tcp,udp |
palm-hotsync |
not scanned |
Palm Computing Network Hotsync
Palm Pilot HotSync Manager 3.0.4 in Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 14238 while the manager is in network mode.
References: [CVE-1999-1065] |
| 14247 |
tcp |
trojan |
Premium scan |
Trojan.Mitglieder.h [Symantec-2004-040712-3540-99] trojan
Cisco voice products, when running the IBM Director Agent on IBM servers before OS 2000.2.6, allows remote attackers to cause a denial of service (CPU consumption) via arbitrary packets to TCP port 14247, as demonstrated using port scanning.
References: [BID-9469], [CVE-2004-1759], [XFDB-14901], [OSVDB-3691] |
| 14285 |
tcp |
trojan |
Premium scan |
Laocoon trojan |
| 14286 |
tcp |
trojans |
Premium scan |
HellDriver, Laocoon |
| 14287 |
tcp |
trojan |
Premium scan |
Laocoon trojan |
| 14300 |
tcp |
applications |
not scanned |
Symantec Veritas VRTSweb Incoming Data Remote Code Execution Vulnerability
References: [CVE-2009-3027], [BID-37012] |
| 14400 |
tcp |
applications |
not scanned |
Iris Online
W32.Lamin.B [Symantec-2003-110612-5307-99] (2003.11.05) - a virus that infects Portable Executable (PE) files. It can replicate across both fixed and remote drives. The virus also contains a keystroke logger and an IRC backdoor Trojan. |
| 14439 |
tcp |
applications |
not scanned |
APRS UI-View Amateur Radio UI-WebServer |
| 14456 |
tcp |
trojan |
Premium scan |
Solero trojan |
| 14500 |
tcp |
trojan |
Premium scan |
PC Invader 0.7 trojan
IANA registered for: xpra network protocol |
| 14501 |
tcp |
trojan |
Premium scan |
PC Invader 0.7 trojan |
| 14502 |
tcp |
trojan |
Premium scan |
PC Invader 0.7 trojan |
| 14503 |
tcp |
trojan |
Premium scan |
PC Invader 0.7 trojan |
| 14504 |
tcp |
trojan |
Premium scan |
PC Invader trojan |
| 14534 |
tcp |
teamspeak |
Premium scan |
Teamspeak server default web administration port (configurable in server.ini). Program also uses port 51234/tcp for server queries, and port 8767/udp.
TeamSpeak WebServer 2.0 for Windows does not validate parameter value lengths and does not expire TCP sessions, which allows remote attackers to cause a denial of service (CPU and memory consumption) via long username and password parameters in a request to login.tscmd on TCP port 14534.
References: [CVE-2007-3956], [BID-24977] |
| 14550 |
udp |
applications |
not scanned |
MAVLink Ground Station Port |
| 14567 |
udp |
games |
not scanned |
Battlefield 1942 |
| 14600 |
tcp |
applications |
not scanned |
Iris Online |
| 14690 |
tcp,udp |
applications |
not scanned |
BitKeeper (bitmover.com) source management system
Battlefield 1942 game uses port 14690/udp |
| 14728 |
tcp |
trojans |
not scanned |
Backdoor.Zinx [Symantec-2003-111014-3109-99] (2003.11.10) - a trojan program that allows a compromised system to be used as a proxy. It also sends system information to the remote attacker. |
| 14800 |
tcp |
games |
not scanned |
Age of Wonders III p2p port |
| 14900 |
tcp |
applications |
not scanned |
K3 SYSPRO K3 Framework WCF Backbone |
| 14920 |
tcp |
malware |
not scanned |
Backdoor.Win32.Delf.zho / Authentication Bypass RCE - the malware listens on TCP port 21 and TCP ports 14920 to 14923. Third-party attackers who can reach the system can logon using any username/password combination. Attackers may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0205]
Backdoor.Win32.RMFdoor.c / Authentication Bypass RCE - the malware listens on TCP ports 21, 14920. Attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0220]
|
| 14923 |
tcp |
malware |
not scanned |
Backdoor.Win32.Delf.zho / Authentication Bypass RCE - the malware listens on TCP port 21 and TCP ports 14920 to 14923. Third-party attackers who can reach the system can logon using any username/password combination. Attackers may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0205] |
| 14936 |
tcp,udp |
hde-lcesrvr-1 |
not scanned |
hde-lcesrvr-1 [Horizon Digital Ente] (IANA official) |
| 14937 |
tcp,udp |
hde-lcesrvr-2 |
not scanned |
hde-lcesrvr-2 [Horizon Digital Ente] (IANA official) |
| 14942 |
tcp |
applications |
not scanned |
Trend Micro ServerProtect for Linux (SPLX) allows remote attackers to access arbitrary web pages and reconfigure the product via HTTP requests with the splx_2376_info cookie to the web interface port 14942/tcp.
References: [CVE-2007-1168], [BID-22662] |
| 14983 |
tcp,udp |
applications |
not scanned |
EnterpriseDT CompleteFTP Server prior to version 12.1.3 is vulnerable to information exposure in the Bootstrap.log file. This allows an attacker to obtain the administrator password hash.
CompleteFTP before 12.1.3 logs an obscured administrator password to a file during installation (C:\Program Files (x86)\Complete FTP\Server\Bootstrapper.log). If CompleteFTP is configured to permit remote administration (over port 14983) it is possible to obtain remote code execution through the administration interface.
References: [CVE-2019-16116], [EDB-48657] |
| 14985 |
tcp |
malware |
not scanned |
Backdoor.Win32.Surila.j / Port Bounce Scan - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050, 13137. The malware has an FTP component that accepts any username/password credentials. Third-party attackers who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2021-0288]
Backdoor.Win32.Surila.j / Authentication Bypass - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050, 13137. Third-party attackers who can reach infected systems can logon using any username/password combination.
References: [MVID-2021-0289]
Backdoor.Win32.Surila.j / Remote Denial of Service - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050. Third-party attackers who can reach infected systems can logon using any username/password combination. Supplying a long string of characters for the FTP PORT command argument results in access violation and crash.
References: [MVID-2021-0290] |
| 14988 |
tcp |
malware |
not scanned |
Backdoor.Win32.Agent.ggw / Authentication Bypass - the malware runs a built-in FTP server listening on one of several random TCP ports like 32335, 27227, 27942, 14223, 14988, 11092. Third-party attackers who can reach the server and that know or guess the port can "logon" using any USER/PASS combination or provide no credentials at all.
References: [MVID-2021-0193] |
| 15000 |
tcp |
various |
Members scan |
N-Able update service
Games: Alien Crossfire (TCP/UDP), Alpha Centauri, Gridz (TCP/UDP), Links LS 2000 (TCP/UDP), Majesty (TCP/UDP), Master of Orion II (TCP/UDP), Star Conquest (TCP/UDP)
Malware: R0xr4t, Route to the Hell, NetDaemon 1.0, psyBNC, Wesnoth, Kaspersky Network Agent
Samsung SBeam allows remote attackers to read arbitrary images by leveraging an NFC connection to access the HTTP server on port 15000.
References: [CVE-2015-4033]
Backdoor.Win32.Benju.a / Unauthenticated Remote Command Execution - The RAT listens on TCP ports 200 and 15000. Third-party adversaries who can reach an infected host, can execute commands made available by the malware. Commands are sent in Spanish, using netcat or telnet fails to run cmds after connecting as they send CRLFs e.g. "quitar\r\n" fails "quitar" succeeds. Therefore, we need a custom client to send commands to the Benju RAT.
References: [MVID-2024-0700]
Hypack Data Aquisition (IANA official) |
| 15000 |
udp |
klnagent |
not scanned |
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
|
| 15001 |
tcp |
games |
not scanned |
Ground Control |
| 15001 |
udp |
klnagent |
not scanned |
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
|
| 15002 |
tcp |
onep-tls |
not scanned |
Open Network Environment TLS [Cisco_3] (IANA official) |
| 15012 |
tcp,udp |
applications |
not scanned |
Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, 'istiod', is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [multicluster](https://istio.io/latest/docs/setup/install/multicluster/primary-remote/) topologies, this port is exposed over the public internet. There are no effective workarounds, beyond upgrading. Limiting network access to Istiod to the minimal set of clients can help lessen the scope of the vulnerability to some extent.
References: [CVE-2022-23635] |
| 15017 |
tcp,udp |
applications |
not scanned |
Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [external istiod](https://istio.io/latest/docs/setup/install/external-controlplane/) topologies, this port is exposed over the public internet. This issue has been patched in versions 1.13.2, 1.12.5 and 1.11.8. Users are advised to upgrade. Users unable to upgrade should disable access to a validating webhook that is exposed to the public internet or restrict the set of IP addresses that can query it to a set of known, trusted entities.
References: [CVE-2022-24726]
Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection. Prior to versions 1.15.2, 1.14.5, and 1.13.9, the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted or oversized message which results in the control plane crashing when the Kubernetes validating or mutating webhook service is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially external istiod topologies, this port is exposed over the public internet. Versions 1.15.2, 1.14.5, and 1.13.9 contain patches for this issue. There are no effective workarounds, beyond upgrading. This bug is due to an error in `regexp.Compile` in Go.
References: [CVE-2022-39278] |
| 15064 |
tcp |
apps |
not scanned |
LogMeIn may use port 15064/tcp
Dameware (dwrcs.exe) may use this port
Ring Doorbell uses TCP ports 80, 443, 5228, 15064. In addition, it may use a random UDP port, and outbound TCP ports 7078, 9078, 9998, 9999, 15063
|
Vulnerabilities listed: 100 (some use multiple ports)
|
