Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
Port(s) |
Protocol |
Service |
Scan level |
Description |
13753 |
tcp |
trojan |
Premium scan |
Anal FTP trojan |
13782 |
tcp,udp |
bpcd |
not scanned |
VERITAS NetBackup (IANA official) |
13783 |
tcp |
vopied |
not scanned |
Symantec VOPIED protocol (formerly VERITAS)
Veritas PBX (Private Branch Exchange) Service uses the following ports:
1556 - Veritas PBX Service
2821 - VxSS Authentication Service
4032 - VxSS Authorization Service
13724 - Veritas NetBackup Network Service
13783 - nbatd
13722 - nbazd
|
13785 |
tcp,udp |
nbdb |
not scanned |
NetBackup Database (IANA official) |
13786 |
tcp,udp |
nomdb |
not scanned |
Veritas-nomdb (IANA official) |
13823 |
tcp |
bmdss |
not scanned |
IANA registered for: Blackmagic Design Streaming Server |
13832 |
tcp |
a-trust-rpc |
not scanned |
Certificate Management and Issuing (IANA official) |
13838 |
tcp |
applications |
not scanned |
hydra.exe in HP SAN/iQ before 9.5 on the HP Virtual SAN Appliance has a hardcoded password of L0CAlu53R for the global$agent account, which allows remote attackers to obtain access to a management service via a login: request to TCP port 13838.
References: [CVE-2012-4362]
HP LeftHand Virtual SAN Appliance is vulnerable to a stack-based buffer overflow in the LHNSessionManager component of the hydra service. By sending an overly long username to the hydra service listening on TCP port 13838, a remote attacker could overflow a buffer and execute arbitrary code on the system with root privileges.
References: [XFDB-85355], [CVE-2013-2343], [BID-60884] |
13850 |
tcp |
malware |
not scanned |
Backdoor.Win32.Surila.j / Port Bounce Scan - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050, 13137. The malware has an FTP component that accepts any username/password credentials. Third-party attackers who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2021-0288]
Backdoor.Win32.Surila.j / Authentication Bypass - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050, 13137. Third-party attackers who can reach infected systems can logon using any username/password combination.
References: [MVID-2021-0289]
Backdoor.Win32.Surila.j / Remote Denial of Service - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050. Third-party attackers who can reach infected systems can logon using any username/password combination. Supplying a long string of characters for the FTP PORT command argument results in access violation and crash.
References: [MVID-2021-0290] |
13894 |
tcp,udp |
ucontrol |
not scanned |
Ultimate Control communication protocol [NEGU Soft] (IANA official) |
14000 |
udp |
applications |
not scanned |
Osagent.exe in Borland VisiBroker Smart Agent 08.00.00.C1.03 and earlier allows remote attackers to cause a denial of service (crash) via a crafted packet with a large string length value to UDP port 14000, which triggers a memory allocation failure that is not properly handled.
References: [CVE-2008-7127], [BID-28084]
Integer overflow in osagent.exe in Borland VisiBroker Smart Agent 08.00.00.C1.03 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet with a large string length value to UDP port 14000, which triggers a heap-based buffer overflow.
References: [CVE-2008-7126] [BID-28084] [SECUNIA-29213] [OSVDB-43057]
SCOTTY High-Speed Filetransfer (IANA official) |
14000 |
tcp |
applications |
Premium scan |
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
The Data Archiver service in GE Intelligent Platforms Proficy Historian 4.5 and earlier allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted session on TCP port 14000 to (1) ihDataArchiver.exe or (2) ihDataArchiver_x64.exe.
References: [CVE-2012-0229] |
14001 |
tcp,sctp |
sua |
not scanned |
SUA |
14002 |
tcp,udp |
scotty |
not scanned |
Tanne Daemon (tcp)
Discovery of a SCOTTY hardware codec board - Scotty Group SE (IANA official, udp) |
14010 |
tcp,udp |
applications |
not scanned |
Market Analyst Software |
14012 |
tcp |
worm |
not scanned |
W32.Remadworm [Symantec-2007-032608-5713-99] (2007.03.26) - a worm that spreads through removable media and may connect to a potentially malicious Web site or open a back door on the compromised computer. |
14013 |
tcp |
router |
not scanned |
AVM FRITZ!Box (any model) Child Protection (Kindersicherung) service port scan |
14100 |
tcp |
trojan |
Premium scan |
Trojan.Eurosol [Symantec-2001-052113-1339-99]
Trojan-Spy.Win32.Xspyout.a / Unauthenticated Open Proxy - the malware listens on TCP port 14100. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
References: [MVID-2021-0268] |
14143 |
tcp |
icpps |
not scanned |
IANA registered for: IceWall Cert Protocol over TLS |
14147 |
tcp,udp |
applications |
not scanned |
FileZilla Server admin port |
14194 |
tcp |
trojan |
Premium scan |
CyberSpy trojan |
14200 |
tcp |
games |
not scanned |
America's Army |
14223 |
tcp |
malware |
not scanned |
Backdoor.Win32.Agent.ggw / Authentication Bypass - the malware runs a built-in FTP server listening on one of several random TCP ports like 32335, 27227, 27942, 14223, 14988, 11092. Third-party attackers who can reach the server and that know or guess the port can "logon" using any USER/PASS combination or provide no credentials at all.
References: [MVID-2021-0193] |
14237 |
tcp |
palm-hotsync |
not scanned |
Palm Computing Network Hotsync |
14238 |
tcp,udp |
palm-hotsync |
not scanned |
Palm Computing Network Hotsync
Palm Pilot HotSync Manager 3.0.4 in Windows 98 allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long string to port 14238 while the manager is in network mode.
References: [CVE-1999-1065] |
14247 |
tcp |
trojan |
Premium scan |
Trojan.Mitglieder.h [Symantec-2004-040712-3540-99] trojan
Cisco voice products, when running the IBM Director Agent on IBM servers before OS 2000.2.6, allows remote attackers to cause a denial of service (CPU consumption) via arbitrary packets to TCP port 14247, as demonstrated using port scanning.
References: [BID-9469], [CVE-2004-1759], [XFDB-14901], [OSVDB-3691] |
14285 |
tcp |
trojan |
Premium scan |
Laocoon trojan |
14286 |
tcp |
trojans |
Premium scan |
HellDriver, Laocoon |
14287 |
tcp |
trojan |
Premium scan |
Laocoon trojan |
14300 |
tcp |
applications |
not scanned |
Symantec Veritas VRTSweb Incoming Data Remote Code Execution Vulnerability
References: [CVE-2009-3027], [BID-37012] |
14400 |
tcp |
applications |
not scanned |
Iris Online
W32.Lamin.B [Symantec-2003-110612-5307-99] (2003.11.05) - a virus that infects Portable Executable (PE) files. It can replicate across both fixed and remote drives. The virus also contains a keystroke logger and an IRC backdoor Trojan. |
14439 |
tcp |
applications |
not scanned |
APRS UI-View Amateur Radio UI-WebServer |
14456 |
tcp |
trojan |
Premium scan |
Solero trojan |
14500 |
tcp |
trojan |
Premium scan |
PC Invader 0.7 trojan
IANA registered for: xpra network protocol |
14501 |
tcp |
trojan |
Premium scan |
PC Invader 0.7 trojan |
14502 |
tcp |
trojan |
Premium scan |
PC Invader 0.7 trojan |
14503 |
tcp |
trojan |
Premium scan |
PC Invader 0.7 trojan |
14504 |
tcp |
trojan |
Premium scan |
PC Invader trojan |
14534 |
tcp |
teamspeak |
Premium scan |
Teamspeak server default web administration port (configurable in server.ini). Program also uses port 51234/tcp for server queries, and port 8767/udp.
TeamSpeak WebServer 2.0 for Windows does not validate parameter value lengths and does not expire TCP sessions, which allows remote attackers to cause a denial of service (CPU and memory consumption) via long username and password parameters in a request to login.tscmd on TCP port 14534.
References: [CVE-2007-3956], [BID-24977] |
14550 |
udp |
applications |
not scanned |
MAVLink Ground Station Port |
14567 |
udp |
games |
not scanned |
Battlefield 1942 |
14600 |
tcp |
applications |
not scanned |
Iris Online |
14690 |
tcp,udp |
applications |
not scanned |
BitKeeper (bitmover.com) source management system
Battlefield 1942 game uses port 14690/udp |
14728 |
tcp |
trojans |
not scanned |
Backdoor.Zinx [Symantec-2003-111014-3109-99] (2003.11.10) - a trojan program that allows a compromised system to be used as a proxy. It also sends system information to the remote attacker. |
14800 |
tcp |
games |
not scanned |
Age of Wonders III p2p port |
14900 |
tcp |
applications |
not scanned |
K3 SYSPRO K3 Framework WCF Backbone |
14920 |
tcp |
malware |
not scanned |
Backdoor.Win32.Delf.zho / Authentication Bypass RCE - the malware listens on TCP port 21 and TCP ports 14920 to 14923. Third-party attackers who can reach the system can logon using any username/password combination. Attackers may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0205]
Backdoor.Win32.RMFdoor.c / Authentication Bypass RCE - the malware listens on TCP ports 21, 14920. Attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0220]
|
14923 |
tcp |
malware |
not scanned |
Backdoor.Win32.Delf.zho / Authentication Bypass RCE - the malware listens on TCP port 21 and TCP ports 14920 to 14923. Third-party attackers who can reach the system can logon using any username/password combination. Attackers may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2021-0205] |
14936 |
tcp,udp |
hde-lcesrvr-1 |
not scanned |
hde-lcesrvr-1 [Horizon Digital Ente] (IANA official) |
14937 |
tcp,udp |
hde-lcesrvr-2 |
not scanned |
hde-lcesrvr-2 [Horizon Digital Ente] (IANA official) |
14942 |
tcp |
applications |
not scanned |
Trend Micro ServerProtect for Linux (SPLX) allows remote attackers to access arbitrary web pages and reconfigure the product via HTTP requests with the splx_2376_info cookie to the web interface port 14942/tcp.
References: [CVE-2007-1168], [BID-22662] |
14983 |
tcp,udp |
applications |
not scanned |
EnterpriseDT CompleteFTP Server prior to version 12.1.3 is vulnerable to information exposure in the Bootstrap.log file. This allows an attacker to obtain the administrator password hash.
CompleteFTP before 12.1.3 logs an obscured administrator password to a file during installation (C:\Program Files (x86)\Complete FTP\Server\Bootstrapper.log). If CompleteFTP is configured to permit remote administration (over port 14983) it is possible to obtain remote code execution through the administration interface.
References: [CVE-2019-16116], [EDB-48657] |
14985 |
tcp |
malware |
not scanned |
Backdoor.Win32.Surila.j / Port Bounce Scan - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050, 13137. The malware has an FTP component that accepts any username/password credentials. Third-party attackers who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2021-0288]
Backdoor.Win32.Surila.j / Authentication Bypass - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050, 13137. Third-party attackers who can reach infected systems can logon using any username/password combination.
References: [MVID-2021-0289]
Backdoor.Win32.Surila.j / Remote Denial of Service - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050. Third-party attackers who can reach infected systems can logon using any username/password combination. Supplying a long string of characters for the FTP PORT command argument results in access violation and crash.
References: [MVID-2021-0290] |
14988 |
tcp |
malware |
not scanned |
Backdoor.Win32.Agent.ggw / Authentication Bypass - the malware runs a built-in FTP server listening on one of several random TCP ports like 32335, 27227, 27942, 14223, 14988, 11092. Third-party attackers who can reach the server and that know or guess the port can "logon" using any USER/PASS combination or provide no credentials at all.
References: [MVID-2021-0193] |
15000 |
tcp |
trojans |
not scanned |
R0xr4t, Route to the Hell, NetDaemon 1.0, psyBNC, Wesnoth, Kaspersky Network Agent
Some games use this port: Alien Crossfire (TCP/UDP), Alpha Centauri, Gridz (TCP/UDP), Links LS 2000 (TCP/UDP), Majesty (TCP/UDP), Master of Orion II (TCP/UDP), Star Conquest (TCP/UDP)
Samsung SBeam allows remote attackers to read arbitrary images by leveraging an NFC connection to access the HTTP server on port 15000.
References: [CVE-2015-4033]
Hypack Data Aquisition (TCP/UDP) (IANA official) |
15000 |
udp |
klnagent |
not scanned |
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
|
15001 |
tcp |
games |
not scanned |
Ground Control |
15001 |
udp |
klnagent |
not scanned |
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
|
15002 |
tcp |
onep-tls |
not scanned |
Open Network Environment TLS [Cisco_3] (IANA official) |
15012 |
tcp,udp |
applications |
not scanned |
Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, 'istiod', is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [multicluster](https://istio.io/latest/docs/setup/install/multicluster/primary-remote/) topologies, this port is exposed over the public internet. There are no effective workarounds, beyond upgrading. Limiting network access to Istiod to the minimal set of clients can help lessen the scope of the vulnerability to some extent.
References: [CVE-2022-23635] |
15017 |
tcp,udp |
applications |
not scanned |
Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [external istiod](https://istio.io/latest/docs/setup/install/external-controlplane/) topologies, this port is exposed over the public internet. This issue has been patched in versions 1.13.2, 1.12.5 and 1.11.8. Users are advised to upgrade. Users unable to upgrade should disable access to a validating webhook that is exposed to the public internet or restrict the set of IP addresses that can query it to a set of known, trusted entities.
References: [CVE-2022-24726]
Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection. Prior to versions 1.15.2, 1.14.5, and 1.13.9, the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted or oversized message which results in the control plane crashing when the Kubernetes validating or mutating webhook service is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially external istiod topologies, this port is exposed over the public internet. Versions 1.15.2, 1.14.5, and 1.13.9 contain patches for this issue. There are no effective workarounds, beyond upgrading. This bug is due to an error in `regexp.Compile` in Go.
References: [CVE-2022-39278] |
15064 |
tcp |
apps |
not scanned |
LogMeIn may use port 15064/tcp
Dameware (dwrcs.exe) may use this port
Ring Doorbell uses TCP ports 80, 443, 5228, 15064. In addition, it may use a random UDP port, and outbound TCP ports 7078, 9078, 9998, 9999, 15063
|
15077 |
tcp,udp |
applications |
not scanned |
The MPS functionality in Enterasys SSR8000 (Smart Switch Router) before firmware 8.3.0.10 allows remote attackers to cause a denial of service (crash) via multiple port scans to ports 15077 and 15078.
References: [BID-5703], [CVE-2002-1501], [XFDB-10096] |
15078 |
tcp,udp |
applications |
not scanned |
The MPS functionality in Enterasys SSR8000 (Smart Switch Router) before firmware 8.3.0.10 allows remote attackers to cause a denial of service (crash) via multiple port scans to ports 15077 and 15078.
References: [BID-5703], [CVE-2002-1501], [XFDB-10096] |
15092 |
tcp |
trojan |
not scanned |
Host Control trojan |
15101 |
tcp |
games |
not scanned |
Tribes 2, Emperor: Rise of the Middle Kingdom, Ground Control, Hoyle Online, Swat 3, Arcanum, PGA Championship Golf 2000 |
15104 |
tcp |
trojan |
not scanned |
Mstream trojan
Tribes 2 also uses this port. |
15111 |
udp |
ksnproxy |
not scanned |
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
|
15118 |
tcp |
trojans |
Premium scan |
Dipnet (a.k.a. Oddbob) trojan. Exploits the Windows port 445 vulnerability (MS Security Bulletin [MS04-011]). Uses tcp ports 11768 and 15118. |
15118 |
udp |
v2g-secc |
not scanned |
IANA registered for: v2g Supply Equipment Communication Controller Discovery Protocol |
15152 |
tcp |
applications |
not scanned |
Exteel |
15200 |
tcp |
games |
not scanned |
Nascar 3, Emperor: Rise of the Middle Kingdom, Ground Control, Hoyle Online, Swat 3 |
15204 |
tcp |
games |
not scanned |
Tribes 2, Arcanum |
15206 |
tcp |
trojan |
Premium scan |
KiLo [Symantec-2003-021319-1815-99] trojan
Tribes 2 also uses this port.
Backdoor.Win32.Kilo.016 / Denial of Service (UDP Datagram) - the malware listens on TCP ports 6712, 6713, 6714, 6715, 7722, 15206, 15207, 16712 and UDP 6666. Attackers who can reach an infected host can send a large payload to UDP port 6666 causing a disruption in service.
References: [MVID-2022-0546] |
15207 |
tcp |
trojan |
Premium scan |
KiLo trojan [Symantec-2003-021319-1815-99]
Backdoor.Win32.Kilo.016 / Denial of Service (UDP Datagram) - the malware listens on TCP ports 6712, 6713, 6714, 6715, 7722, 15206, 15207, 16712 and UDP 6666. Attackers who can reach an infected host can send a large payload to UDP port 6666 causing a disruption in service.
References: [MVID-2022-0546] |
15210 |
udp |
trojan |
not scanned |
UDP remote shell backdoor server |
15213 |
tcp,udp |
games |
not scanned |
Original War |
15252 |
tcp,udp |
routers |
not scanned |
Port 15252/UDP used by MikroTik routers IP Cloud |
15300 |
tcp |
games |
not scanned |
Emperor: Rise of the Middle Kingdom, Swat 3, Arcanum |
15345 |
tcp,udp |
xpilot |
not scanned |
IANA registered for: XPilot Contact |
15348 |
tcp |
trojans |
not scanned |
Backdoor.Bionet.404 [Symantec-2003-110416-1452-99] (2003.11.04) - a backdoor program that permits a remote attacker access on TCP port 15348. |
15367 |
tcp,udp |
games |
not scanned |
Aleph One, developer: Bungie Software |
15382 |
tcp |
trojan |
Premium scan |
SubZero trojan |
15400 |
udp |
games |
not scanned |
Homeworld |
15401 |
udp |
games |
not scanned |
Homeworld |
15425 |
tcp,udp |
trojan |
Premium scan |
Backdoor.Rohimafo [Symantec-2010-041308-3301-99] (2010.04.13) - a trojan horse that opens a back door and steals information from the compromised computer. It creates a proxy server on TCP port 15425.
IRLP - Internet Radio Linking Project (uses port 1545 tcp/udp) |
15432 |
tcp |
trojans |
Premium scan |
Backdoor.Cyn [Symantec-2002-083012-4557-99] (2002.08) - remote access trojan, affects all current Windows versions, listens on ports 15432 and 51234. |
15441 |
tcp,udp |
applications |
not scanned |
ZeroNet fileserver |
15485 |
tcp |
trojan |
Premium scan |
KiLo trojan [Symantec-2003-021319-1815-99] |
15486 |
tcp,udp |
trojan |
not scanned |
KiLo trojan [Symantec-2003-021319-1815-99] |
15500 |
tcp |
trojan |
Premium scan |
In Route to the Hell trojan
Nascar 3, Hoyle Online also use this port. |
15512 |
tcp |
trojan |
Premium scan |
Iani trojan |
15551 |
tcp |
trojan |
Premium scan |
In Route to the Hell trojan |
15553 |
tcp |
trojans |
not scanned |
Backdoor.Dewin [Symantec-2002-061211-5916-99] (2002.06.12) - allows a hacker to gain access to and remotely control an infected computer. The Trojan program is written in Microsoft Visual C++ and is compressed with PECompact. |
15555 |
tcp |
trojan |
Premium scan |
ICMIBC trojan |
15556 |
tcp,udp |
applications |
not scanned |
Jeex.EU Artesia (direct client-to-db.service) |
15567 |
udp |
applications |
not scanned |
Battlefield Vietnam server port |
15668 |
udp |
games |
not scanned |
Heroes of Might and Magic III, developer: New World Computing |
15670 |
tcp |
stomp |
not scanned |
Port sometimes used by STOMP (Simple/Streaming Text Oriented Messaging Protocol, a web version of AMQP, or MQTT). |
15672 |
tcp,udp |
applications |
not scanned |
360 Share, developer: 360share
RabbitMQ management plugin uses this port |
Vulnerabilities listed: 100 (some use multiple ports)
|