| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 18512 |
udp |
applications |
not scanned |
The Emerson DeltaV Distributed Control System (DCS) through 2022-04-29 mishandles authentication. It utilizes several proprietary protocols for a wide variety of functionality. These protocols include Firmware upgrade (18508/TCP, 18518/TCP); Plug-and-Play (18510/UDP); Hawk services (18507/UDP); Management (18519/TCP); Cold restart (18512/UDP); SIS communications (12345/TCP); and Wireless Gateway Protocol (18515/UDP). None of these protocols have any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality.
References: [CVE-2022-29957] |
| 18515 |
udp |
applications |
not scanned |
The Emerson DeltaV Distributed Control System (DCS) through 2022-04-29 mishandles authentication. It utilizes several proprietary protocols for a wide variety of functionality. These protocols include Firmware upgrade (18508/TCP, 18518/TCP); Plug-and-Play (18510/UDP); Hawk services (18507/UDP); Management (18519/TCP); Cold restart (18512/UDP); SIS communications (12345/TCP); and Wireless Gateway Protocol (18515/UDP). None of these protocols have any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality.
References: [CVE-2022-29957] |
| 18516 |
udp |
heythings |
not scanned |
IANA registered for: HeyThings Device communicate service |
| 18518 |
tcp |
applications |
not scanned |
The Emerson DeltaV Distributed Control System (DCS) through 2022-04-29 mishandles authentication. It utilizes several proprietary protocols for a wide variety of functionality. These protocols include Firmware upgrade (18508/TCP, 18518/TCP); Plug-and-Play (18510/UDP); Hawk services (18507/UDP); Management (18519/TCP); Cold restart (18512/UDP); SIS communications (12345/TCP); and Wireless Gateway Protocol (18515/UDP). None of these protocols have any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality.
References: [CVE-2022-29957] |
| 18519 |
tcp |
applications |
not scanned |
The Emerson DeltaV Distributed Control System (DCS) through 2022-04-29 mishandles authentication. It utilizes several proprietary protocols for a wide variety of functionality. These protocols include Firmware upgrade (18508/TCP, 18518/TCP); Plug-and-Play (18510/UDP); Hawk services (18507/UDP); Management (18519/TCP); Cold restart (18512/UDP); SIS communications (12345/TCP); and Wireless Gateway Protocol (18515/UDP). None of these protocols have any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality.
References: [CVE-2022-29957] |
| 18550 |
tcp,udp |
applications |
not scanned |
The Emerson DeltaV Distributed Control System (DCS) controllers and IO cards through 2022-04-29 misuse passwords. TELNET on port 18550 provides access to a root shell via hardcoded credentials. This affects S-series, P-series, and CIOC/EIOC nodes. NOTE: this is different from CVE-2014-2350.
References: [CVE-2022-29963] |
| 18605 |
tcp,udp |
applications |
not scanned |
X-BEAT—Status/Version Check |
| 18606 |
tcp,udp |
applications |
not scanned |
X-BEAT |
| 18624 |
tcp |
applications |
not scanned |
Buffer overflow in the PKI Web Service in Check Point Firewall-1 PKI Web Service allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) Authorization or (2) Referer HTTP header to TCP port 18624. NOTE: the vendor has disputed this issue, stating "Check Point Security Alert Team has analyzed this report. We've tried to reproduce the attack on all VPN-1 versions from NG FP2 and above with and without HFAs. The issue was not reproduced. We have conducted a thorough analysis of the relevant code and verified that we are secure against this attack. We consider this attack to pose no risk to Check Point customers." In addition, the original researcher, whose reliability is unknown as of 20090407, also states that the issue "was discovered during a pen-test where the client would not allow further analysis."
References: [CVE-2009-1227] [BID-34286] |
| 18634 |
tcp,udp |
rds-ib |
not scanned |
Reliable Datagram Service |
| 18635 |
tcp,udp |
rds-ip |
not scanned |
Reliable Datagram Service over IP |
| 18667 |
tcp |
trojan |
Premium scan |
Knark trojan |
| 18668 |
tcp,udp |
vdmmesh |
not scanned |
IANA registered for: Manufacturing Execution Systems Mesh Communication |
| 18747 |
udp |
applications |
not scanned |
Citrix EdgeSight could allow a remote attacker to execute arbitrary code on the system, caused by an error in the LauncherService.exe component. By sending specially-crafted packets to TCP or UDP port 18747, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with SYSTEM-level privileges.
References: [XFDB-68148], [BID-48385] |
| 18753 |
udp |
trojan |
not scanned |
Shaft (DDoS) |
| 18881 |
tcp,udp |
applications |
not scanned |
This module exploits a stack buffer overflow in Race river's Integard Home/Pro internet content filter HTTP Server. Versions prior to 2.0.0.9037 and 2.2.0.9037 are vulnerable. The administration web page on port 18881 is vulnerable to a remote buffer overflow attack. By sending an long character string in the password field, both the structured exception handler and the saved extended instruction pointer are over written, allowing an attacker to gain control of the application and the underlying operating system remotely. The administration website service runs with SYSTEM privileges, and automatically restarts when it crashes.
References: [OSVDB-67909]
Port is also IANA registered for Infotos |
| 18888 |
tcp,udp |
liquidaudio |
not scanned |
Port used by LiquidAudio servers. |
| 18923 |
tcp,udp |
jahia |
not scanned |
Jahia |
| 18961 |
tcp |
trojans |
Premium scan |
Backdoor.Haxdoor.B [Symantec-2004-052016-0128-99] (2004.05.20) - a backdoor trojan horse that opens a TCP port, allowing unauthorized access to an infected computer. |
| 18999 |
udp |
applications |
not scanned |
A vulnerability in the quality of service (QoS) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges. The vulnerability is due to incorrect bounds checking of certain values in packets that are destined for UDP port 18999 of an affected device. An attacker could exploit this vulnerability by sending malicious packets to an affected device. When the packets are processed, an exploitable buffer overflow condition may occur. A successful exploit could allow the attacker to execute arbitrary code on the affected device with elevated privileges. The attacker could also leverage this vulnerability to cause the device to reload, causing a temporary DoS condition while the device is reloading. The malicious packets must be destined to and processed by an affected device. Traffic transiting a device will not trigger the vulnerability. Cisco Bug IDs: CSCvf73881.
References: [CVE-2018-0151], [BID-103540] |
| 19000 |
tcp |
games |
not scanned |
Silent Hunter IV: Wolves Of The Pacific, developer: UbiSoft Romania
Audition Online Dance Battle game uses these ports:
18200 tcp/udp: AsiaSoft Thailand Server - Status/Version Check
18201 tcp/udp: AsiaSoft Thailand Server
18206 tcp/udp: AsiaSoft Thailand Server - FAM Database
18300 tcp/udp: AsiaSoft SEA Server - Status/Version Check
18301 tcp/udp: AsiaSoft SEA Server
18306 tcp/udp: AsiaSoft SEA Server - FAM Database
18400 tcp/udp: KAIZEN Brazil Server - Status/Version Check
18401 tcp/udp: KAIZEN Brazil Server
18505 tcp/udp: Nexon Server - Status/Version Check
18506 tcp/udp: Nexon Server
19000 tcp/udp: G10/alaplaya Server - Status/Version Check
19001 tcp/udp: G10/alaplaya Server |
| 19000 |
udp |
applications |
not scanned |
JACK sound server |
| 19001 |
udp |
games |
not scanned |
Silent Hunter IV: Wolves Of The Pacific, developer: UbiSoft Romania
Audition Online Dance Battle game uses these ports:
18200 tcp/udp: AsiaSoft Thailand Server - Status/Version Check
18201 tcp/udp: AsiaSoft Thailand Server
18206 tcp/udp: AsiaSoft Thailand Server - FAM Database
18300 tcp/udp: AsiaSoft SEA Server - Status/Version Check
18301 tcp/udp: AsiaSoft SEA Server
18306 tcp/udp: AsiaSoft SEA Server - FAM Database
18400 tcp/udp: KAIZEN Brazil Server - Status/Version Check
18401 tcp/udp: KAIZEN Brazil Server
18505 tcp/udp: Nexon Server - Status/Version Check
18506 tcp/udp: Nexon Server
19000 tcp/udp: G10/alaplaya Server - Status/Version Check
19001 tcp/udp: G10/alaplaya Server |
| 19002 |
udp |
games |
not scanned |
Silent Hunter IV: Wolves Of The Pacific, developer: UbiSoft Romania |
| 19007 |
tcp,udp |
scintilla |
not scanned |
Scintilla protocol for device services [Veejansh_Inc] (IANA official) |
| 19020 |
tcp |
j-link |
not scanned |
J-Link TCP/IP Protocol [SEGGER] (IANA official) |
| 19050 |
tcp |
malware |
not scanned |
Backdoor.Win32.Surila.j / Port Bounce Scan - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050, 13137. The malware has an FTP component that accepts any username/password credentials. Third-party attackers who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2021-0288]
Backdoor.Win32.Surila.j / Authentication Bypass - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050, 13137. Third-party attackers who can reach infected systems can logon using any username/password combination.
References: [MVID-2021-0289]
Backdoor.Win32.Surila.j / Remote Denial of Service - the malware listens on random TCP high port numbers typically starting with "1" E.g. 12356, 14985, 13850, 19050. Third-party attackers who can reach infected systems can logon using any username/password combination. Supplying a long string of characters for the FTP PORT command argument results in access violation and crash.
References: [MVID-2021-0290] |
| 19132 |
udp |
games |
not scanned |
Minecraft Pocket Edition multiplayer server
Minecraft: Bedrock Edition multiplayer server |
| 19133 |
udp |
games |
not scanned |
Minecraft: Bedrock Edition IPv6 multiplayer server |
| 19150 |
tcp |
gkrellm |
not scanned |
GKrellM remote system activity meter daemon |
| 19170 |
tcp |
klserver |
not scanned |
Kaspersky Security Center uses these ports:
8060, 8061 TCP, 15000, 15001 UDP - installation and update packages
8080 TCP - web console
13000 TCP/UDP - server port
13111, 17000, 17100 TCP, 15111 UDP - KSN proxy server
13291, 13292, 13294, 13295, 13299, 14000, 19170 TCP - client device management
|
| 19191 |
tcp |
trojan |
Premium scan |
BlueFire trojan |
| 19216 |
tcp |
trojan |
Premium scan |
BackGate Kit trojan |
| 19220 |
tcp |
cora |
not scanned |
IANA registered for: Client Connection Management and Data Exchange Service |
| 19220 |
udp |
cora-disc |
not scanned |
IANA registered for: Discovery for Client Connection Management and Data Exchange Service |
| 19226 |
tcp |
applications |
not scanned |
Panda Software AdminSecure Communication Agent
Integer overflow in Panda Software AdminSecure allows remote attackers to execute arbitrary code via crafted packets with modified length values to TCP ports 19226 or 19227, resulting in a heap-based buffer overflow.
References: [CVE-2007-3026], [BID-25046]
Panda Security for Business and Panda Security for Enterprise products could allow a remote attacker to execute arbitrary code on the system, caused by a directory traversal flaw in the Panda AdminSecure Communications Agent (Pagent.exe). By sending a specially-crafted request to TCP port 19226, an attacker could exploit this vulnerability to create and overwrite arbitrary files and execute arbitrary code with SYSTEM privileges.
References: [XFDB-88091] |
| 19227 |
tcp |
applications |
not scanned |
Integer overflow in Panda Software AdminSecure allows remote attackers to execute arbitrary code via crafted packets with modified length values to TCP ports 19226 or 19227, resulting in a heap-based buffer overflow.
References: [CVE-2007-3026], [BID-25046] |
| 19234 |
tcp |
applications |
not scanned |
A vulnerability in Siemens SICAM PAS (all versions before V8.09) could allow a remote attacker to cause a Denial of Service condition and potentially lead to unauthenticated remote code execution by sending specially crafted packets to port 19234/TCP.
References: [CVE-2016-9157], [BID-94549] |
| 19235 |
tcp |
applications |
not scanned |
A vulnerability in Siemens SICAM PAS (all versions before V8.09) could allow a remote attacker to upload, download, or delete files in certain parts of the file system by sending specially crafted packets to port 19235/TCP.
References: [CVE-2016-9156], [BID-94549] |
| 19283 |
tcp,udp |
keysrvr |
not scanned |
Key Server for SASSAFRAS (IANA official) |
| 19294 |
tcp |
applications |
not scanned |
IANA registered for: Google Talk Voice and Video connections |
| 19295 |
udp |
applications |
not scanned |
IANA registered for: Google Talk Voice and Video connections |
| 19302 |
udp |
voip |
not scanned |
VoIP STUN servers (Session Traversal Utilities for NAT), i.e. IP phones behind a firewall/NAT commonly use UDP port 3470 and 19302
Google Talk, DUO, Hangouts commonly use ports 19302-19308 UDP and 19305-19308 TCP
IANA registered for: Google Talk Voice and Video connections |
| 19303-19308 |
tcp,udp |
voip |
not scanned |
Google Talk, DUO, Hangouts commonly use ports 19302-19308 UDP and 19305-19308 TCP |
| 19315 |
tcp,udp |
keyshadow |
not scanned |
Key Shadow for SASSAFRAS (IANA official) |
| 19334 |
tcp,udp |
malware |
not scanned |
HEUR:Trojan.MSIL.Agent.gen / Information Disclosure - the malware runs an HTTP service on port 19334. Attackers who can reach an infected host can make HTTP GET requests to download and or stat arbitrary files using forced browsing.
References: [MVID-2022-0654] |
| 19340 |
tcp,udp |
trojans |
not scanned |
Backdoor.RemoteNC.B [Symantec-2002-111518-0305-99] (2002.11.15) - a backdoor trojan that allows a hacker to gain access to your system. The hacker can then delete, copy, and execute files and perform other actions. By default it opens port 19340. |
| 19421 |
tcp,udp |
applications |
not scanned |
In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled. Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the web server, deleting the ~/.zoomus directory, and creating a ~/.zoomus plain file.
References: [CVE-2019-13450], [BID-109082]
In the Zoom Client before 4.4.2 on macOS, remote attackers can cause a denial of service (continual focus grabs) via a sequence of invalid launch?action=join&confno= requests to localhost port 19421.
References: [CVE-2019-13449], [XFDB-163500], [XFDB-163501] |
| 19424 |
tcp,udp |
applications |
not scanned |
In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled. Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the web server, deleting the ~/.zoomus directory, and creating a ~/.zoomus plain file.
References: [CVE-2019-13450], [BID-109082], [XFDB-163501] |
| 19535 |
tcp |
malware |
not scanned |
Backdoor.Win32.Freddy.2001 / Authentication Bypass Command Execution - the malware listens on TCP port 19535. Third-party intruders who can reach an infected host can gain access using an empty password and run commands made available by the backdoor using TELNET.
References: [MVID-2022-0486] |
| 19540 |
tcp,udp |
sxuptp |
not scanned |
Belkin Network USB Hub
SXUPTP (IANA official) |
| 19545 |
tcp |
malware |
not scanned |
Backdoor.Win32.Prexot.a / Authentication Bypass - the malware listens on random high TCP ports e.g 11404, 19545, 17001, 10110. Third-party attackers who can reach an infected system can logon using any username/password combination.
References: [MVID-2022-0484]
Backdoor.Win32.Prexot.a / Port Bounce Scan (MITM) - the malware listens on random high TCP ports e.g 11404, 19545, 17001, 10110 and accepts any credentials. Third-party intruders who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2022-0485] |
| 19604 |
tcp |
trojan |
Premium scan |
Metal trojan |
| 19605 |
tcp |
trojan |
Premium scan |
Metal trojan |
| 19638 |
tcp |
applications |
not scanned |
Ensim Control Panel |
| 19650 |
tcp |
malware |
not scanned |
Trojan-Proxy.Win32.Ranky.ag / Unauthenticated Open Proxy - the malware listens on TCP port 19650. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
References: [MVID-2021-0269] |
| 19712 |
tcp,udp |
games |
not scanned |
Giants: Citizen Kabuto |
| 19786 |
tcp,udp |
applications |
not scanned |
Risk II |
| 19788 |
udp |
mle |
not scanned |
Mesh Link Establishment [IESG] (IANA official) |
| 19790 |
tcp |
faircom-db |
not scanned |
FairCom Database (IANA official) |
| 19800 |
udp |
applications |
not scanned |
A vulnerability in Mxserver can be exploited to compromise a vulnerable system. The vulnerability is caused due to a boundary error when processing network packets. This can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to UDP port 19800.
References: [SECUNIA-39051]
|
| 19801 |
tcp |
trojans |
Premium scan |
Backdoor.Wnetpols [Symantec-2008-042215-5247-99] (2008.04.22) - a trojan horse that opens a back door on the compromised computer. |
| 19810 |
tcp |
applications |
not scanned |
Stack-based buffer overflow in B Labs Bopup Communication Server 3.2.26.5460 allows remote attackers to execute arbitrary code via a crafted request to TCP port 19810.
References: [CVE-2009-2227] |
| 19812 |
tcp |
applications |
not scanned |
4D database SQL Communication |
| 19813 |
tcp |
applications |
not scanned |
4D database Client Server Communication
HP Data Protector Media Operations is vulnerable to a denial of service, caused by a NULL pointer dereference in the DBServer.exe and DBTools.exe programs. By sending a specially-crafted packet to TCP port 19813, a local attacker could exploit this vulnerability to cause the application to crash.
References: [XFDB-61751], [BID-43167], [OSVDB-68528] |
| 19814 |
tcp |
applications |
not scanned |
4D database DB4D Communication |
| 19864 |
tcp |
trojan |
Premium scan |
ICQ Revenge trojan |
| 19937 |
tcp |
trojan |
Premium scan |
Backdoor.Gaster [Symantec-2003-122909-2907-99] |
| 19944 |
tcp |
phala |
not scanned |
Phala network default ports: 9944, 18000, 19944 |
| 19966 |
tcp,udp |
games |
not scanned |
Stronghold Legends |
| 19991 |
tcp |
trojan |
Premium scan |
Dfch trojan
Monopoly 3 also uses port 19991 (TCP/UDP) |
| 19998 |
tcp |
iec-104-sec |
not scanned |
IANA registered for: IEC 60870-5-104 process control - secure |
| 19999 |
tcp,udp |
dnp-sec |
not scanned |
Distributed Network Protocol - Secure (IANA official) |
| 20000 |
tcp,udp |
dnp |
Premium scan |
GlassWire service uses port 7010 by default, may also listen to port 20000.
QuickTime Streaming Server 4 also uses ports 10000-20000 (TCP).
Ultimate Baseball Online Client uses ports 20000-22200 (UDP)
Usermin, Web-based user tool, OpenWebNet - communications protocol used in Bticino products
Trojans that use this port: Millenium, PSYcho Files, XHX
The DNP Master Driver in Software Toolbox TOP Server before 5.12.140.0 allows remote attackers to cause a denial of service (master-station infinite loop) via crafted DNP3 packets to TCP port 20000 and allows physically proximate attackers to cause a denial of service (master-station infinite loop) via crafted input over a serial line.
References: [CVE-2013-2804]
The Kepware DNP Master Driver for the KEPServerEX Communications Platform before 5.12.140.0 allows remote attackers to cause a denial of service (master-station infinite loop) via crafted DNP3 packets to
TCP port 20000 and allows physically proximate attackers to cause a denial of service (master-station infinite loop) via crafted input over a serial line.
References: [CVE-2013-2789]
The master-station DNP3 driver before driver19.exe, and Beta2041.exe, in IOServer allows remote attackers to cause a denial of service (infinite loop) via crafted DNP3 packets to TCP port 20000.
References: [CVE-2013-2790]
IOServer is vulnerable to a denial of service, caused by improper handling of TCP packets within DNP3 drivers. By sending a specially-crafted packet to TCP port 20000, a remote attacker could exploit this vulnerability to cause the system to enter into an infinite loop.
References: [BID-60450], [CVE-2013-2783]
A denial of service vulnerability exists in Schneider Electric's MiCOM Px4x (P540 range excluded) with legacy Ethernet board, MiCOM P540D Range with Legacy Ethernet Board, and MiCOM Px4x Rejuvenated could lose network communication in case of TCP/IP open requests on port 20000 (DNP3oE) if an older TCI/IP session is still open with identical IP address and port number.
References: [CVE-2018-7758]
DNP (IANA official) |
| 20001 |
tcp |
trojans |
Premium scan |
Insect, Millennium, PSYcho Files trojans |
| 20001 |
udp |
qnap |
not scanned |
QNAP CloudLink uses port 20001 UDP to allow access without explicit port forwarding (technology similar to STUN for VoIP). CloudLink is not required if ports are manually forwarded and the NAS accessible.
QNAP uses the following ports:
Web server: 80,8081 TCP and 443,8080 TCP (web admin)
FTP/SFTP/SSH: 20,21,22 TCP and 13131 TCP (telnet)
Remote Replication: 873,8899 TCP
VPN server: 1723 TCP (PPTP), 1194 UDP (OpenVPN)
CloudLink: port 20001 UDP (optional, only required for access without manual port forwarding)
Game: Blazing Angels Squadrons of WWII (developer: Ubisoft Romania) |
| 20002 |
tcp |
trojans |
Premium scan |
Blazing Angels Squadrons of WWII also uses this port.
PSYcho Files, AcidkoR trojans
This vulnerability allows remote attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tmpServer service, which listens on TCP port 20002. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9662.
References: [CVE-2020-10886] |
| 20002 |
udp |
applications |
not scanned |
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. When parsing the slave_mac parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the root user. Was ZDI-CAN-9650.
References: [CVE-2020-10882]
This vulnerability allows network-adjacent attackers execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. This issue results from the use of hard-coded encryption key. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-9652.
References: [CVE-2020-10884] |
| 20005 |
tcp |
netusb |
Members scan |
MoSucker trojan (2010)
[CVE-2015-3036] KCodes NetUSB Linux kernel driver is vulnerable to a buffer overflow via the network over TCP port 20005 that may result in a denial of service or code execution. The KCodes NetUSB driver has been integrated into several routers and network products, including Netgear, TP-Link, Trendnet, etc. An unauthenticated attacker on the local network (and a remote attacker with the default configuration on some devices) can trigger a buffer overflow that may result in a denial of service, or code execution. The vulnerability is triggered by simply specifying a machine name longer than 64 characters.
Certain D-Link, Edimax, NETGEAR, TP-Link, Tenda, and Western Digital devices are affected by an integer overflow by an unauthenticated attacker. Remote code execution from the WAN interface (TCP port 20005) cannot be ruled out; however, exploitability was judged to be of "rather significant complexity" but not "impossible." The overflow is in SoftwareBus_dispatchNormalEPMsgOut in the KCodes NetUSB kernel module. Affected NETGEAR devices are D7800 before 1.0.1.68, R6400v2 before 1.0.4.122, and R6700v3 before 1.0.4.122.
References: [CVE-2021-45608] |
| 20012 |
udp |
ss-idi-disc |
not scanned |
Samsung Interdevice Interaction discovery |
| 20013 |
tcp |
ss-idi |
not scanned |
Samsung Interdevice Interaction
Dark and Light game also uses port 20013 (TCP/UDP). |
| 20014 |
tcp,udp |
opendeploy |
not scanned |
DART Reporting server (TCP)
OpenDeploy Listener (IANA official) |
| 20023 |
tcp |
trojan |
Premium scan |
VP Killer trojan |
| 20031 |
tcp,udp |
applications |
not scanned |
Sony Bravia TV service may open TCP port 20031.
npvmgr.exe in BakBone NetVault Backup 8.22 Build 29 allows remote attackers to cause a denial of service (daemon crash) via a packet to TCP/UDP port 20031 with a large value in an unspecified size field, which is not properly handled in a malloc operation.
References: [CVE-2009-3448] [BID-36489]
Heap-based buffer overflow in the demo version of Bakbone Netvault, and possibly other versions, allows remote attackers to execute arbitrary commands via a large packet to port 20031.
References: [CVE-2005-1547]
NetVault is vulnerable to a stack-based buffer overflow caused by improper bounds checking of user-supplied input in the processing of the configure.cfg file. By creating a specially-crafted computername 'Name=' entry containing more than 111 bytes, a local attacker with access to the configure.cfg file, could overflow a buffer and execute arbitrary code on the system with SYSTEM level privileges, once the NetVault Process Manager restarts.
Note: A remote attacker could also exploit this vulnerability by connecting to port 20031 and sending a specially-crafted clientname entry in the Available NetVault Machines list to overflow a buffer and execute arbitrary code on the system.
References: [XFDB-19932], [CVE-2005-1009], [BID-12966], [BID-12967] |
| 20034 |
tcp |
trojans |
Members scan |
Some trojans/backdoors use this port: NetBus, NetRex, Whack Job |
| 20034 |
udp |
applications |
not scanned |
Stack-based buffer overflow in Azeotech DAQFactory 5.85 build 1853 and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a crafted NETB packet to UDP port 20034.
References: [CVE-2011-3492] |
| 20046 |
tcp,udp |
tmophl7mts |
not scanned |
TMOP HL7 Message Transfer Service |
| 20048 |
tcp,udp |
mountd |
not scanned |
NFS mount protocol |
| 20049 |
tcp,udp,sctp |
nfsrdma |
not scanned |
Network File System (NFS) over RDMA [RFC 5666] (IANA official) |
| 20050 |
udp |
games |
not scanned |
Blazing Angels Squadrons of WWII, developer: Ubisoft Romania |
| 20050 |
tcp |
applications |
not scanned |
In IXP EasyInstall 6.2.13723, there are cleartext credentials in network communication on TCP port 20050 when using the Administrator console remotely.
References: [CVE-2019-19898] |
| 20051 |
tcp |
applications |
not scanned |
In IXP EasyInstall 6.2.13723, there is Remote Code Execution via the Agent Service. An unauthenticated attacker can communicate with the Agent Service over TCP port 20051, and execute code in the NT AUTHORITY\SYSTEM context of the target system by using the Execute Command Line function.
References: [CVE-2019-19897] |
| 20057 |
tcp |
avesterra |
not scanned |
IANA registered for: AvesTerra Hypergraph Transfer Protocol (HGTP) |
| 20080 |
|
games |
not scanned |
Blazing Angels Squadrons of WWII, developer: Ubisoft Romania |
| 20100 |
udp |
games |
not scanned |
Soldier of Fortune 2 |
| 20101 |
tcp |
applications |
not scanned |
Stack-based buffer overflow in the CGenericScheduler::AddTask function in cmdHandlerRedAlertController.dll in CmdProcessor.exe in Trend Micro Control Manager 5.5 before Build 1613 allows remote attackers to execute arbitrary code via a crafted IPC packet to TCP port 20101.
References: [CVE-2011-5001], [BID-50965] |
| 20111 |
tcp |
applications |
not scanned |
Yokogawa CENTUM CS 3000 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the BKBCopyD.exe service. By sending specially-crafted packets to TCP port 20111, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [BID-66114], [XFDB-91785], [EDB-32210] |
| 20139 |
tcp |
trojan |
Premium scan |
#skanbotz IRC-SubSeven trojan |
| 20168 |
tcp |
worm |
Premium scan |
W32.HLLW.Lovgate.C@mm |
| 20171 |
tcp |
applications |
not scanned |
Yokogawa CENTUM CS 3000 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the BKHOdeq.exe service. By sending specially-crafted packets to TCP port 20171, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2014-0783], [BID-66111], [XFDB-91784], [EDB-32209] |
