The Broadband Guide
SG
search advanced
 Username:
 Password:
Register
 forgot password?

Vulnerable Ports

This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats. We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please . Any feedback and suggestions can also be posted to our Security forum.

 1 |....| 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 
Port(s) Protocol Service Scan level Description
 48094 tcp trojans Premium scan Backdoor.Nibu.M (07.12.2005) - a a trojan with backdoor capabilities, that runs a keylogger, sends information periodically to a remote server (via http), and also blocks access to security-related websites. Listens for remote commands on port 48094/tcp.
 48101 tcp applications not scanned Stack-based buffer overflow in PQCore.exe in Print Manager Plus 2008 Client Billing and Authentication allows remote attackers to cause a denial of service (service outage) via a series of long packets to TCP port 48101.
References: [CVE-2008-0693], [BID-27604]
 48512 tcp trojan Premium scan Arctic trojan
 48556 tcp,udp com-bardac-dw not scanned com-bardac-dw
 48653 tcp,udp robotraconteur not scanned Robot Raconteur transport - a communication library for robotics and automation, developed by Wason Technology, LLC [Wason_Technology_LLC] (IANA official)
 48899 udp applications not scanned The Beckhoff TwinCAT version <= 2.11.0.2004 can be brought down by sending a crafted UDP packet to port 48899 (TCATSysSrv.exe).
References: [CVE-2011-3486], [OSVDB-75495]
 49000 tcp trojan Premium scan Fraggle Rock trojan

IANA registered for: Matahari Broker
 49001 udp games not scanned Far Cry

IANA registered for: Nuance Unity Service Discovery Protocol
 49001 tcp nusrp not scanned IANA registered for: Nuance Unity Service Request Protocol
 49002 tcp,udp games not scanned Far Cry
 49124 tcp,udp games not scanned Far Cry
 49152 tcp,udp applications Members scan As the first port in the dynamic/private range (49152-65535), this port is commonly used by applications that utilize a dynamic/random/configurable port.

Many embedded Linux based systems (i.e. home routers, remote management devices, IP cameras) have UPnP enabled, broadcasting their kernel version and hardware architecture over port 49152.

Some P2P torernt clients often use this port: uTorrent, Azureus/Vuze, etc.

Older IPMI firmware versions reveal cleartext login credentials over UDP port 49152.

Apple Xsan Filesystem Access uses the dynamic/private range 49152-65535.
Xsan (Apple's storage area network, or clustered filesystem for macOS) uses these ports:
311 TCP - Xsan secure server administration (server app, xsan server admin, workgroup manager, server monitor)
312 TCP - Xsan administration
626 UDP - server serial number registration (Xsan, Mac OS X Server v10.3 – v10.6)
49152-65535 TCP - Xsan Filesystem Access

The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589 and NVG599 devices, when IP Passthrough mode is not used, configures an unauthenticated proxy service on WAN TCP port 49152, which allows remote attackers to establish arbitrary TCP connections to intranet hosts by sending \x2a\xce\x01 followed by other predictable values.
References: [CVE-2017-14117], [BID-100585]
 49153 tcp applications not scanned ANTLR, ANother Tool for Language Recognition, (formerly PCCTS) - a parser generator for recognizing languages
 49154 tcp applications not scanned Xsan Filesystem Access
 49156 tcp,udp applications not scanned Azureus
 49159 tcp,udp applications Premium scan Bonjour for Windows - employed by iTunes and iChat for sharing files between Windows and Mac OS.
 49160 tcp,udp applications not scanned SJPhone (VoIP softphone), Azureus/Vuze BitTorrent client
 49165 tcp,udp applications not scanned Siebel Server - Siebel Customer Relationship Management application
 49177 tcp applications not scanned Monsoon Vulkano
 49181 tcp games not scanned Empire: Total War, developer: The Creative Assembly
 49182 tcp,udp applications not scanned BlueHeat/Net Port 15 - Command Port
 49201 tcp applications not scanned Borland StarTeam is vulnerable to a heap-based buffer overflow, caused by an integer overflow error in the StarTeam Server service (starteamserver.exe). By sending specially-crafted packets to TCP port 49201, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
Reference: [XFDB-40965]
 49301 tcp trojan Premium scan Online Keylogger (TCP)
 49495 tcp trojans Premium scan Backdoor.Danrit (2005.11.16) - a trojan that opens a backdoor and logs keystrokes. Opens a backdoor on port 49495/tcp.
 49683 tcp,udp trojan not scanned Fenster trojan (a.k.a. Trojan.Win32.Fenster, Backdoor.Fenster.21)
 49698 udp trojan not scanned KiLo trojan
 49875 tcp xsan not scanned Xsan (Apple's storage area network, or clustered filesystem for macOS) uses these ports:
311 TCP - Xsan secure server administration (server app, xsan server admin, workgroup manager, server monitor)
312 TCP - Xsan administration
626 UDP - server serial number registration (Xsan, Mac OS X Server v10.3 – v10.6)
49152-65535 TCP - Xsan Filesystem Access
 49896 tcp oracle not scanned Oracle Database Management uses the following ports:
1521 TCP - Oracle SQL Net Listener and Data Guard
1832 TCP - Oracle Enterprise Management Agent HTTP (range 1830-1849)
49896 TCP - Oracle Clusterware (CRS daemon)
 49955 tcp,udp applications not scanned The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG599 device, when IP Passthrough mode is not used, configures WAN access to a caserver https service with the tech account and an empty password, which allows remote attackers to obtain root privileges by establishing a session on port 49955 and then installing new software, such as BusyBox with "nc -l" support.
References: [CVE-2017-14116], [BID-100585]
 50000 tcp trojans Premium scan Infector, SubSARI

SVAT CLEARVU1, Serv-U use ports 50000-50004 (TCP/UDP)
 50000 udp applications not scanned The EN100 module with firmware before 4.25 for Siemens SIPROTEC 4 and SIPROTEC Compact devices allows remote attackers to cause a denial of service via crafted packets on UDP port 50000.
References: [CVE-2015-5374], [XFDB-104946]
 50001 tcp,udp applications not scanned Java Remote Shell Server, Zotero, IBM DB2

The management interface on the 2wire Gateway 1700HG, 1701HG, 1800HW, 2071, 2700HG, and 2701HG-T with software before 5.29.52 allows remote attackers to cause a denial of service (reboot) via a %0d%0a sequence in the page parameter to the xslt program on TCP port 50001.
References: [CVE-2009-3962]
 50003 tcp,udp applications not scanned Apple FileMaker server service
 50004 tcp,udp applications not scanned Serv-U uses ports 50000-50004
 50005 tcp trojan Premium scan Trojan.Fulamer.25
 50006 tcp,udp applications not scanned Apple FileMaker helper service
 50021 tcp trojan Premium scan Optix Pro trojan

Hard-coded FTP credentials (r:r) are included in the Foscam C1 running firmware 1.9.1.12. Knowledge of these credentials would allow remote access to any cameras found on the internet that do not have port 50021 blocked by an intermediate device.
References: [CVE-2016-8731], [BID-99193]
 50047 udp games not scanned Virtual Tennis, developer: Strangelite
 50123 udp applications not scanned Vulnerability in GpsDrive, can cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. The vulnerability is caused due to a format string error in the "dg_echo()" function in "friendsd.c" when displaying received GPS position data. This can potentially be exploited to execute arbitrary code via a specially crafted UDP packet. Successful exploitation requires the ability to send UDP packets to port 50123/udp.
References: [CVE-2005-3523] [SECUNIA-17473]
 50130 tcp trojan Premium scan Enterprise trojan
 50138 udp applications not scanned Network Assistant (Nassi) is vulnerable to a denial of service attack. A remote attacker could send a specially-crafted UDP packet to UDP port 50138, which is the default port for Nassi, to cause the service to crash.
References: [BID-12226], [XFDB-18826], [SECUNIA-13770]
 50200 tcp,udp altiris-wol not scanned Symantec Altiris Notification and Task Server WOL magic packets use this port.
 50305 tcp trojans Members scan Backdoor.Longnu (2003.03.11) - a trojan that gives a hacker access to your computer. It downloads other components from specific Web sites. Upon execution, this trojan also displays a fake error message, "Error #251: Failed to init randomized generator."
 50370 tcp trojans Members scan Backdoor.Cycbot - a trojan that opens a back door on TCP port 50370 to listen for inbound connections. It may use this port to act as a proxy server. It modifies the proxy settings of Internet Explorer, Mozilla Firefox, and Opera browsers to point to the proxy server on port 50370.

It may also contact the malicious server and report back what version of itself is running and may download updates. The Trojan may monitor activity on popular websites, such as social networks, search engines, e-commerce, and video websites.

The Trojan also uses a random number to select what server to report back to and may use a specific user-agent string to mark itself.
 50505 tcp trojans Premium scan Sockets des Trois2 trojan. Typically uses ports 5000, 5001, 30303, and 50505. Includes remote administration tool like Back Orifice and NetBus, so it has a server (spread with virus) and client portion.
 50551 tcp trojan Premium scan R0xr4t trojan
 50552 tcp trojan Premium scan R0xr4t trojan
 50726 tcp,udp voddler not scanned Voddler uses ports 42042-42051 and 50726.
 50766 tcp trojans Premium scan Fore remote access trojan - ports 21, 50766
Scwhindler remote access trojan - ports 21554, 50766
 50776 tcp trojans Premium scan Fore, Fore 1.0, Remote Windows Shutdown
 50777 tcp applications not scanned zenAdminSrv.exe in Ing. Punzenberger COPA-DATA zenon 6.51 SP0 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted packet to TCP port 50777, aka Reference Number 25240.
References: [CVE-2011-4533], [BID-51897]
 50829 tcp,udp trojan not scanned KiLo trojan
 51003 tcp applications not scanned Multiple cross-site request forgery (CSRF) vulnerabilities in the Thomson/Alcatel SpeedTouch 7G router, as used for the BT Home Hub 6.2.6.B and earlier, allow remote attackers to perform actions as administrators via unspecified POST requests, as demonstrated by enabling an inbound remote-assistance HTTPS session on TCP port 51003.
NOTE: an authentication bypass can be leveraged to exploit this in the absence of an existing administrative session.
References: [CVE-2007-5384], [BID-25972]
 51100 tcp applications not scanned The web GUI for Novell iChain 2.2 and 2.3 SP2 and SP3 allows attackers to hijack sessions and gain administrator privileges by sniffing the connection on TCP port 51100 and replaying the authentication information or obtaining and replaying the PCZQX02 authentication cookie from the browser.
References: [CVE-2005-0744]
 51201 tcp,udp applications not scanned Dialpad
 51210 tcp applications not scanned Dialpad
 51234 tcp trojans Premium scan Backdoor.Cyn (2002.08) - remote access trojan, affects all current Windows versions, listens on ports 15432 and 51234.

Backdoor.Fearles (2003.11.18) - a trojan horse that gives an attacker remote access to your computer. By default, the trojan listens on TCP port 51234.

Port also used by TeamSpeak server to telnet remotely.
 51410 tcp not scanned VDG Security SENSE (formerly DIVA) 2.3.13 sends the user database when a user logs in, which allows remote authenticated users to obtain usernames and password hashes by logging in to TCP port 51410 and reading the response.
References: [CVE-2014-9577]
 51413 tcp,udp p2p Premium scan Commonly used by Transmission BitTorrent Client.
 51435 tcp trojans Members scan W32.Kalel.A@mm (05.24.2005) - mass-mailing worm that uses its own SMTP engine, also spreads through file-sharing networks. Opens a backdoor for remote access on port 51435/tcp.
 51966 tcp trojans Premium scan Trojan Cafeini
 51996 tcp trojan Premium scan CafeIni trojan
 52001 tcp,udp applications not scanned Xlockmore, which is the maintained edition of Xlock, makes use of port 52001 to administer an X server network. Xlock prevents illegal access to the X server while the user is still keying in his or her password.

Jabber Session Manager (JSM) also employs port 52001 for administering instant messaging activities.
 52013 tcp trojans Premium scan Backdoor.Graybird.C (2003.04.15) - a backdoor trojan and a variant of Backdoor.Graybird. It gives a hacker unauthorized access to your computer. It opens port 52013 to listen for commands. The existence of the file, HGZSERVER.EXE, is an indication of a possible infection.
 52028 tcp,udp applications not scanned Altiris Agent for Linux, Mac and Unix
BibleTime for Linux
 52179 tcp trojans Premium scan Backdoor.Tjserv.D (10.04.2005) - a backdoor trojan that acts as a HTTP and SOCKS4/5 proxy. Opens a backdoor and listens for remote commands on port 8080/udp. Also opens a HTTP, SOCKS4 and SOCKS5 proxy on port 52179/tcp.
 52303 udp applications not scanned Yokogawa CENTUM CS 3000 is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the BKCLogSvr.exe service. By sending specially-crafted packets to UDP port 52303, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [BID-66130], [CVE-2014-0781], [XFDB-91783]
 52317 tcp trojans Premium scan Port used by: Acid Battery 2000 trojan
 52365 tcp trojan Premium scan Way trojan
 52559 tcp trojans Premium scan Backdoor.AntiLam.20.Q (2003.08.29) - a backdoor trojan horse that gives its creator access to a computer. By default this trojan listens on ports 20226 and 52559. The existence of the file nas.exe is in indication of a possible infection. This threat is written in the Delphi programming language.
 52805 tcp applications not scanned A security issue has been reported in NEC Universal RAID Utility, which can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to the application improperly restricting access permissions, which can be exploited to conduct arbitrary operations on a hard disk being managed by the application via TCP port 52805.
References: [CVE-2013-0706], [SECUNIA-52241]
 52901 udp trojan Premium scan Possibly the Omega DDoS tool.
 52978 tcp trojans Members scan Gspot, also known as Backdoor.Optix.Downloader, G-Spot, Trojan.Win32.GoBind, TrojanDownloader.Win32.G-Spot.10 and TrojanDownloader.Win32.G-Spot.15, is a backdoor Trojan written in Delphi affecting Microsoft Windows operating systems.

The backdoor uses a client/server relationship, where the server component is installed in the victim's system and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 52978, to allow the client system to connect. Gspot could allow a remote attacker to gain unauthorized access to the system.
References: [XFDB-15165]
 52999 tcp applications not scanned The GetMagicNumberString function in Massive Entertainment World in Conflict 1.000 and earlier allows remote attackers to cause a denial of service (NULL dereference and daemon crash) via a string to the VoIP port (52999/tcp) with an invalid value in the third byte.
References: [CVE-2007-5369], [BID-25985]
 53001 tcp trojans Premium scan Remote Windows Shutdown trojan
 53217 tcp trojan Premium scan Acid Battery 2000 trojan horse (TCP)
 53357 tcp,udp virus not scanned W95.Sma (2002.05.29) - an oligomorphic stealth virus which affects Windows 9x environments. It is network-aware and has a payload that runs arbitrary code that originates from a specific IP address.
 53484 tcp linksys Premium scan Sony VLP Network Projectors use port 53484 by default.

Reportedly, some newer Linksys "Smart WiFi" routers like EA6300 can open port 53484 by default. To close the port on such routers, disable any "Remote Access", and "Smart Phone access".
 53535,53540,53541 tcp,udp activepdf not scanned Port used by ActivePDF software - automates PDF generation process from different sources, such as a website

ActivePDF WebGrabber - port 64320
ActivePDF Server - port 53535
ActivePDF DocConverter - port 53540 and port 53541
 54045 udp arx not scanned Logitech LGS Arx control app listens to port 54045 UDP and uses outbound port 54099 UDP. It also uses a random TCP port, reportedly in the following ranges (57851, 57856, 57907, 57911, 57913, 57924, 57943, 63235)
 54099 udp arx not scanned Logitech LGS Arx control app listens to port 54045 UDP and uses outbound port 54099 UDP. It also uses a random TCP port, reportedly in the following ranges (57851, 57856, 57907, 57911, 57913, 57924, 57943, 63235)
 54112 tcp trojans Premium scan Backdoor.Ranky.F (2004.04.01) - a trojan horse that runs as a proxy server. By default, the trojan opens TCP port 54112.
 54138 tcp applications not scanned Toshiba 4690 operating system could allow a remote attacker to obtain sensitive information. By sending a specially crafted string to TCP port 54138, an attacker could return environment variables to an unauthenticated client. An attacker could exploit this vulnerability to restricted data.
References: [CVE-2014-8476], [XFDB-103666]
 54283 tcp trojan Premium scan Trojans using this port:
BackDoor-G, SubSeven, Sub7(*) (TCP)
 54312 tcp,udp trojans not scanned Backdoor.Niovadoor (2002.10.31) - a backdoor trojan that gives an attacker unauthorized access to an infected computer. By default it opens port 54312 on the infected computer. The trojan attempts to disable some antivirus and firewall programs by terminating their active processes.
 54320 udp trojan not scanned Back Orifice 2000, BO2K(*) trojan horse (UDP)
 54321 tcp trojans Premium scan opendkim default port (may also use ports 8891,12345)

Trojans using this port:
Schoolbus .69-1.11, 1.6, 2.0 (TCP)
Back Orifice 2000, BO2K(*) (TCP/UDP)
Backdoor.Robofo

Stack-based buffer overflow in MDMUtil.dll in MDMTool.exe in MDM Tool before 2.3 in Moxa Device Manager allows remote MDM Gateways to execute arbitrary code via crafted data in a session on TCP port 54321.
References: [CVE-2010-4741]

The Terminal Upgrade Tool in the Pilot Below Deck Equipment (BDE) and OpenPort implementations on Iridium satellite terminals allows remote attackers to execute arbitrary code by uploading new firmware to TCP port 54321.
References: [CVE-2014-0327]
 54321 udp loadavg not scanned UDP port used by "loadavg" - a service that replies with the load average of a machine.
 54345 tcp loadrunner not scanned Port used by HP LoadRunner for checking performance and behavior of a system when under load.

Stack-based buffer overflow in magentproc.exe for Hewlett-Packard Mercury LoadRunner Agent, Performance Center Agent, and Monitor over Firewall allows remote attackers to execute arbitrary code via a packet with a long server_ip_name field to TCP port 54345, which triggers the overflow in mchan.dll.
References: [CVE-2007-0446], [BID-22487]
 54444 tcp applications not scanned NMMediaServer.exe in Nero MediaHome 3.3.3.0 and earlier, as used in Nero 8.3.2.1 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a long HTTP request to TCP port 54444.
References: [CVE-2008-1905]

Multiple off-by-one errors in NMMediaServerService.dll in Nero MediaHome 4.5.8.0 and earlier allow remote attackers to cause a denial of service (crash) via a long string in the (1) request line or (2) HTTP Referer header to TCP port 54444, which triggers a heap-based buffer overflow.
References: [CVE-2012-5876]
 54533 udp applications not scanned Really Simple IM is vulnerable to a denial of service, caused by the improper handling of packets. By sending a specially-crafted packet to UDP port 54533, a remote attacker could exploit this vulnerability to cause the application to crash.
References: [XFDB-60454], [OSVDB-66447], [EDB-14408]
 55000 tcp,udp trojans Premium scan Backdoor.Roxe - remote access trojan, 09.27.2004. Affects all current Windows versions, exploits the MS GDI+ Library vulnerability: MS Seciruty Bulletin [MS04-028]. Listens on port 55000/tcp.

Port also used by Windows Home Server for managing the various components of the home network.
Port also used by some versions of uTorrent by default.
 55123 udp applications not scanned Default VoIP client port, Battlefield 2
 55124 udp applications not scanned Default VoIP server port
 55125 udp applications not scanned Standard VoIP port
 55165 tcp trojans Premium scan Some trojans use this port: File Manager trojan, WM Trojan Generator
 55166 tcp trojan Premium scan WM Trojan Generator
 55554 tcp applications not scanned Share KM application for Android is vulnerable to a denial of service, caused by an error in the Share KM PC Server. By sending a specially-crafted request containing an overly long string argument to TCP port 55554, a remote attacker could exploit this vulnerability to cause the server to crash.
References: [BID-62586], [XFDB-87386], [EDB-28451]
 55555 tcp trojan Premium scan Shadow Phyre trojan

JUNG Smart Visu Server contains two undocumented operating system user backdoor accounts. By connecting to the device over SSH on Port 55555, a remote attacker could exploit this vulnerability to gain administrative access to the device.
References: [XFDB-121625]
 55665 tcp trojans Premium scan Latinus, Pinochet

Vulnerabilities listed: 100 (some use multiple ports)
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About