The Broadband Guide
SG
search advanced

Vulnerable Ports

This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats. We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please . Any feedback and suggestions can also be posted to our Security forum.

 1 |....| 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 |....| 54 
Port(s) Protocol Service Scan level Description
 13753 tcp trojan Premium scan Anal FTP trojan
 13782 tcp,udp bpcd not scanned VERITAS NetBackup (IANA official)
 13783 tcp vopied not scanned Symantec VOPIED protocol (formerly VERITAS)

Veritas PBX (Private Branch Exchange) Service uses the following ports:
1556 - Veritas PBX Service
2821 - VxSS Authentication Service
4032 - VxSS Authorization Service
13724 - Veritas NetBackup Network Service
13783 - nbatd
13722 - nbazd
 13785 tcp,udp nbdb not scanned NetBackup Database (IANA official)
 13786 tcp,udp nomdb not scanned Veritas-nomdb (IANA official)
 13823 tcp bmdss not scanned IANA registered for: Blackmagic Design Streaming Server
 13832 tcp a-trust-rpc not scanned Certificate Management and Issuing (IANA official)
 13838 tcp applications not scanned hydra.exe in HP SAN/iQ before 9.5 on the HP Virtual SAN Appliance has a hardcoded password of L0CAlu53R for the global$agent account, which allows remote attackers to obtain access to a management service via a login: request to TCP port 13838.
References: [CVE-2012-4362]

HP LeftHand Virtual SAN Appliance is vulnerable to a stack-based buffer overflow in the LHNSessionManager component of the hydra service. By sending an overly long username to the hydra service listening on TCP port 13838, a remote attacker could overflow a buffer and execute arbitrary code on the system with root privileges.
References: [XFDB-85355], [CVE-2013-2343], [BID-60884]
 13850 tcp malware not scanned Backdoor.Win32.Surila.j / Port Bounce Scan - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050, 13137. The malware has an FTP component that accepts any username/password credentials. Third-party attackers who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2021-0288]

Backdoor.Win32.Surila.j / Authentication Bypass - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050, 13137. Third-party attackers who can reach infected systems can logon using any username/password combination.
References: [MVID-2021-0289]

Backdoor.Win32.Surila.j / Remote Denial of Service - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050. Third-party attackers who can reach infected systems can logon using any username/password combination. Supplying a long string of characters for the FTP PORT command argument results in access violation and crash.
References: [MVID-2021-0290]
 13894 tcp,udp ucontrol not scanned Ultimate Control communication protocol [NEGU Soft] (IANA official)
 14000 udp applications not scanned Osagent.exe in Borland VisiBroker Smart Agent 08.00.00.C1.03 and earlier allows remote attackers to cause a denial of service (crash) via a crafted packet with a large string length value to UDP port 14000, which triggers a memory allocation failure that is not properly handled.
References: [CVE-2008-7127], [BID-28084]

Integer overflow in osagent.exe in Borland VisiBroker Smart Agent 08.00.00.C1.03 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet with a large string length value to UDP port 14000, which triggers a heap-based buffer overflow.
References: [CVE-2008-7126] [BID-28084] [SECUNIA-29213] [OSVDB-43057]

SCOTTY High-Speed Filetransfer (IANA official)
 14000 tcp applications Premium scan Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management

The Data Archiver service in GE Intelligent Platforms Proficy Historian 4.5 and earlier allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted session on TCP port 14000 to (1) ihDataArchiver.exe or (2) ihDataArchiver_x64.exe.
References: [CVE-2012-0229]
 14001 tcp,sctp sua not scanned SUA
 14002 tcp,udp scotty not scanned Tanne Daemon (tcp)
Discovery of a SCOTTY hardware codec board - Scotty Group SE (IANA official, udp)
 14010 tcp,udp applications not scanned Market Analyst Software
 14012 tcp worm not scanned W32.Remadworm [Symantec-2007-032608-5713-99] (2007.03.26) - a worm that spreads through removable media and may connect to a potentially malicious Web site or open a back door on the compromised computer.
 14013 tcp router not scanned AVM FRITZ!Box (any model) Child Protection (Kindersicherung) service port scan
 14100 tcp trojan Premium scan Trojan.Eurosol [Symantec-2001-052113-1339-99]

Trojan-Spy.Win32.Xspyout.a / Unauthenticated Open Proxy - the malware listens on TCP port 14100. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
References: [MVID-2021-0268]
 14143 tcp icpps not scanned IANA registered for: IceWall Cert Protocol over TLS
 14147 tcp,udp applications not scanned FileZilla Server admin port
 14194 tcp trojan Premium scan CyberSpy trojan
 14200 tcp games not scanned America's Army
 14223 tcp malware not scanned Backdoor.Win32.Agent.ggw / Authentication Bypass - the malware runs a built-in FTP server listening on one of several random TCP ports like 32335, 27227, 27942, 14223, 14988, 11092. Third-party attackers who can reach the server and that know or guess the port can "logon" using any USER/PASS combination or provide no credentials at all.
References: [MVID-2021-0193]
 14237 tcp palm-hotsync not scanned Palm Computing Network Hotsync
 14238 tcp,udp palm-hotsync not scanned Palm Computing Network Hotsync

Palm Pilot HotSync Manager 3.0.4 in Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 14238 while the manager is in network mode.
References: [CVE-1999-1065]
 14247 tcp trojan Premium scan Trojan.Mitglieder.h [Symantec-2004-040712-3540-99] trojan

Cisco voice products, when running the IBM Director Agent on IBM servers before OS 2000.2.6, allows remote attackers to cause a denial of service (CPU consumption) via arbitrary packets to TCP port 14247, as demonstrated using port scanning.
References: [BID-9469], [CVE-2004-1759], [XFDB-14901], [OSVDB-3691]
 14285 tcp trojan Premium scan Laocoon trojan
 14286 tcp trojans Premium scan HellDriver, Laocoon
 14287 tcp trojan Premium scan Laocoon trojan
 14300 tcp applications not scanned Symantec Veritas VRTSweb Incoming Data Remote Code Execution Vulnerability
References: [CVE-2009-3027], [BID-37012]
 14400 tcp applications not scanned Iris Online

W32.Lamin.B [Symantec-2003-110612-5307-99] (2003.11.05) - a virus that infects Portable Executable (PE) files. It can replicate across both fixed and remote drives. The virus also contains a keystroke logger and an IRC backdoor Trojan.
 14439 tcp applications not scanned APRS UI-View Amateur Radio UI-WebServer
 14456 tcp trojan Premium scan Solero trojan
 14500 tcp trojan Premium scan PC Invader 0.7 trojan

IANA registered for: xpra network protocol
 14501 tcp trojan Premium scan PC Invader 0.7 trojan
 14502 tcp trojan Premium scan PC Invader 0.7 trojan
 14503 tcp trojan Premium scan PC Invader 0.7 trojan
 14504 tcp trojan Premium scan PC Invader trojan
 14534 tcp teamspeak Premium scan Teamspeak server default web administration port (configurable in server.ini). Program also uses port 51234/tcp for server queries, and port 8767/udp.

TeamSpeak WebServer 2.0 for Windows does not validate parameter value lengths and does not expire TCP sessions, which allows remote attackers to cause a denial of service (CPU and memory consumption) via long username and password parameters in a request to login.tscmd on TCP port 14534.
References: [CVE-2007-3956], [BID-24977]
 14550 udp applications not scanned MAVLink Ground Station Port
 14567 udp games not scanned Battlefield 1942
 14600 tcp applications not scanned Iris Online
 14690 tcp,udp applications not scanned BitKeeper (bitmover.com) source management system

Battlefield 1942 game uses port 14690/udp
 14728 tcp trojans not scanned Backdoor.Zinx [Symantec-2003-111014-3109-99] (2003.11.10) - a trojan program that allows a compromised system to be used as a proxy. It also sends system information to the remote attacker.
 14800 tcp games not scanned Age of Wonders III p2p port
 14900 tcp applications not scanned K3 SYSPRO K3 Framework WCF Backbone
 14920 tcp malware not scanned Backdoor.Win32.Delf.zho / Authentication Bypass RCE - the malware listens on TCP port 21 and TCP ports 14920 to 14923. Third-party attackers who can reach the system can logon using any username/password combination. Attackers may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0205]

Backdoor.Win32.RMFdoor.c / Authentication Bypass RCE - the malware listens on TCP ports 21, 14920. Attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0220]
 14923 tcp malware not scanned Backdoor.Win32.Delf.zho / Authentication Bypass RCE - the malware listens on TCP port 21 and TCP ports 14920 to 14923. Third-party attackers who can reach the system can logon using any username/password combination. Attackers may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0205]
 14936 tcp,udp hde-lcesrvr-1 not scanned hde-lcesrvr-1 [Horizon Digital Ente] (IANA official)
 14937 tcp,udp hde-lcesrvr-2 not scanned hde-lcesrvr-2 [Horizon Digital Ente] (IANA official)
 14942 tcp applications not scanned Trend Micro ServerProtect for Linux (SPLX) allows remote attackers to access arbitrary web pages and reconfigure the product via HTTP requests with the splx_2376_info cookie to the web interface port 14942/tcp.
References: [CVE-2007-1168], [BID-22662]
 14983 tcp,udp applications not scanned EnterpriseDT CompleteFTP Server prior to version 12.1.3 is vulnerable to information exposure in the Bootstrap.log file. This allows an attacker to obtain the administrator password hash.

CompleteFTP before 12.1.3 logs an obscured administrator password to a file during installation (C:\Program Files (x86)\Complete FTP\Server\Bootstrapper.log). If CompleteFTP is configured to permit remote administration (over port 14983) it is possible to obtain remote code execution through the administration interface.

References: [CVE-2019-16116], [EDB-48657]
 14985 tcp malware not scanned Backdoor.Win32.Surila.j / Port Bounce Scan - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050, 13137. The malware has an FTP component that accepts any username/password credentials. Third-party attackers who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2021-0288]

Backdoor.Win32.Surila.j / Authentication Bypass - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050, 13137. Third-party attackers who can reach infected systems can logon using any username/password combination.
References: [MVID-2021-0289]

Backdoor.Win32.Surila.j / Remote Denial of Service - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050. Third-party attackers who can reach infected systems can logon using any username/password combination. Supplying a long string of characters for the FTP PORT command argument results in access violation and crash.
References: [MVID-2021-0290]
 14988 tcp malware not scanned Backdoor.Win32.Agent.ggw / Authentication Bypass - the malware runs a built-in FTP server listening on one of several random TCP ports like 32335, 27227, 27942, 14223, 14988, 11092. Third-party attackers who can reach the server and that know or guess the port can "logon" using any USER/PASS combination or provide no credentials at all.
References: [MVID-2021-0193]
 15000 tcp trojans not scanned R0xr4t, Route to the Hell, NetDaemon 1.0, psyBNC, Wesnoth, Kaspersky Network Agent

Some games use this port: Alien Crossfire (TCP/UDP), Alpha Centauri, Gridz (TCP/UDP), Links LS 2000 (TCP/UDP), Majesty (TCP/UDP), Master of Orion II (TCP/UDP), Star Conquest (TCP/UDP)

Samsung SBeam allows remote attackers to read arbitrary images by leveraging an NFC connection to access the HTTP server on port 15000.
References: [CVE-2015-4033]

Hypack Data Aquisition (TCP/UDP) (IANA official)
 15000 udp klnagent not scanned Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
 15001 tcp games not scanned Ground Control
 15001 udp klnagent not scanned Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
 15002 tcp onep-tls not scanned Open Network Environment TLS [Cisco_3] (IANA official)
 15012 tcp,udp applications not scanned Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, 'istiod', is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [multicluster](https://istio.io/latest/docs/setup/install/multicluster/primary-remote/) topologies, this port is exposed over the public internet. There are no effective workarounds, beyond upgrading. Limiting network access to Istiod to the minimal set of clients can help lessen the scope of the vulnerability to some extent.
References: [CVE-2022-23635]
 15017 tcp,udp applications not scanned Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [external istiod](https://istio.io/latest/docs/setup/install/external-controlplane/) topologies, this port is exposed over the public internet. This issue has been patched in versions 1.13.2, 1.12.5 and 1.11.8. Users are advised to upgrade. Users unable to upgrade should disable access to a validating webhook that is exposed to the public internet or restrict the set of IP addresses that can query it to a set of known, trusted entities.
References: [CVE-2022-24726]

Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection. Prior to versions 1.15.2, 1.14.5, and 1.13.9, the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted or oversized message which results in the control plane crashing when the Kubernetes validating or mutating webhook service is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially external istiod topologies, this port is exposed over the public internet. Versions 1.15.2, 1.14.5, and 1.13.9 contain patches for this issue. There are no effective workarounds, beyond upgrading. This bug is due to an error in `regexp.Compile` in Go.
References: [CVE-2022-39278]
 15064 tcp apps not scanned LogMeIn may use port 15064/tcp
Dameware (dwrcs.exe) may use this port

Ring Doorbell uses TCP ports 80, 443, 5228, 15064. In addition, it may use a random UDP port, and outbound TCP ports 7078, 9078, 9998, 9999, 15063
 15077 tcp,udp applications not scanned The MPS functionality in Enterasys SSR8000 (Smart Switch Router) before firmware 8.3.0.10 allows remote attackers to cause a denial of service (crash) via multiple port scans to ports 15077 and 15078.
References: [BID-5703], [CVE-2002-1501], [XFDB-10096]
 15078 tcp,udp applications not scanned The MPS functionality in Enterasys SSR8000 (Smart Switch Router) before firmware 8.3.0.10 allows remote attackers to cause a denial of service (crash) via multiple port scans to ports 15077 and 15078.
References: [BID-5703], [CVE-2002-1501], [XFDB-10096]
 15092 tcp trojan not scanned Host Control trojan
 15101 tcp games not scanned Tribes 2, Emperor: Rise of the Middle Kingdom, Ground Control, Hoyle Online, Swat 3, Arcanum, PGA Championship Golf 2000
 15104 tcp trojan not scanned Mstream trojan

Tribes 2 also uses this port.
 15111 udp ksnproxy not scanned Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
 15118 tcp trojans Premium scan Dipnet (a.k.a. Oddbob) trojan. Exploits the Windows port 445 vulnerability (MS Security Bulletin [MS04-011]). Uses tcp ports 11768 and 15118.
 15118 udp v2g-secc not scanned IANA registered for: v2g Supply Equipment Communication Controller Discovery Protocol
 15152 tcp applications not scanned Exteel
 15200 tcp games not scanned Nascar 3, Emperor: Rise of the Middle Kingdom, Ground Control, Hoyle Online, Swat 3
 15204 tcp games not scanned Tribes 2, Arcanum
 15206 tcp trojan Premium scan KiLo [Symantec-2003-021319-1815-99] trojan

Tribes 2 also uses this port.

Backdoor.Win32.Kilo.016 / Denial of Service (UDP Datagram) - the malware listens on TCP ports 6712, 6713, 6714, 6715, 7722, 15206, 15207, 16712 and UDP 6666. Attackers who can reach an infected host can send a large payload to UDP port 6666 causing a disruption in service.
References: [MVID-2022-0546]
 15207 tcp trojan Premium scan KiLo trojan [Symantec-2003-021319-1815-99]

Backdoor.Win32.Kilo.016 / Denial of Service (UDP Datagram) - the malware listens on TCP ports 6712, 6713, 6714, 6715, 7722, 15206, 15207, 16712 and UDP 6666. Attackers who can reach an infected host can send a large payload to UDP port 6666 causing a disruption in service.
References: [MVID-2022-0546]
 15210 udp trojan not scanned UDP remote shell backdoor server
 15213 tcp,udp games not scanned Original War
 15252 tcp,udp routers not scanned Port 15252/UDP used by MikroTik routers IP Cloud
 15300 tcp games not scanned Emperor: Rise of the Middle Kingdom, Swat 3, Arcanum
 15345 tcp,udp xpilot not scanned IANA registered for: XPilot Contact
 15348 tcp trojans not scanned Backdoor.Bionet.404 [Symantec-2003-110416-1452-99] (2003.11.04) - a backdoor program that permits a remote attacker access on TCP port 15348.
 15367 tcp,udp games not scanned Aleph One, developer: Bungie Software
 15382 tcp trojan Premium scan SubZero trojan
 15400 udp games not scanned Homeworld
 15401 udp games not scanned Homeworld
 15425 tcp,udp trojan Premium scan Backdoor.Rohimafo [Symantec-2010-041308-3301-99] (2010.04.13) - a trojan horse that opens a back door and steals information from the compromised computer. It creates a proxy server on TCP port 15425.

IRLP - Internet Radio Linking Project (uses port 1545 tcp/udp)
 15432 tcp trojans Premium scan Backdoor.Cyn [Symantec-2002-083012-4557-99] (2002.08) - remote access trojan, affects all current Windows versions, listens on ports 15432 and 51234.
 15441 tcp,udp applications not scanned ZeroNet fileserver
 15485 tcp trojan Premium scan KiLo trojan [Symantec-2003-021319-1815-99]
 15486 tcp,udp trojan not scanned KiLo trojan [Symantec-2003-021319-1815-99]
 15500 tcp trojan Premium scan In Route to the Hell trojan

Nascar 3, Hoyle Online also use this port.
 15512 tcp trojan Premium scan Iani trojan
 15551 tcp trojan Premium scan In Route to the Hell trojan
 15553 tcp trojans not scanned Backdoor.Dewin [Symantec-2002-061211-5916-99] (2002.06.12) - allows a hacker to gain access to and remotely control an infected computer. The Trojan program is written in Microsoft Visual C++ and is compressed with PECompact.
 15555 tcp trojan Premium scan ICMIBC trojan
 15556 tcp,udp applications not scanned Jeex.EU Artesia (direct client-to-db.service)
 15567 udp applications not scanned Battlefield Vietnam server port
 15668 udp games not scanned Heroes of Might and Magic III, developer: New World Computing
 15670 tcp stomp not scanned Port sometimes used by STOMP (Simple/Streaming Text Oriented Messaging Protocol, a web version of AMQP, or MQTT).
 15672 tcp,udp applications not scanned 360 Share, developer: 360share

RabbitMQ management plugin uses this port

Vulnerabilities listed: 100 (some use multiple ports)
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About