Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 3784 |
tcp,udp |
ventrilo |
not scanned |
Ventrilo
The decryption function in Flagship Industries Ventrilo 3.0.2 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) by sending a type 0 packet with an invalid version followed by another packet to TCP port 3784.
References: [CVE-2008-3680] [BID-30675]
Ventrilo 2.1.2 through 2.3.0 allows remote attackers to cause a denial of service (application crash) via a status packet that contains less data than specified in the packet header sent to UDP port 3784.
References: [CVE-2005-2719] [BID-14644] [SECUNIA-16551]
IANA registered for: BFD Control Protocol [RFC 5881] |
| 3785 |
tcp,udp |
bfd-echo |
not scanned |
Ventrilo VoIP
IANA registered for: BFD Echo Protocol [RFC5881] |
| 3786 |
tcp,udp |
upstriggervsw |
not scanned |
Backdoor.Win32.VB.awm / Authentication Bypass - Information Leakage - тhe "Cryptech Heat" malware listens on TCP port 3786 and has an option to set an remote access password. The malware also runs a keylogger, we see imports for GetAsyncKeyState, GetKeyState, keybd_event and GetActiveWindow modules. Third-party attackers connecting to the infected system can use any password and will essentially see anything the victim types, searches or programs they run. As all information is piped out to whatever remote endpoint is connected.
References: [MVID-2021-0339]
VSW Upstrigger port (IANA official)
|
| 3791 |
tcp |
trojan |
Premium scan |
Total Eclipse trojan horse (FTP) |
| 3799 |
tcp,udp |
radius-dynauth |
not scanned |
RADIUS Dynamic Authorization (IANA official) [RFC 3576] |
| 3800 |
tcp |
trojan |
Premium scan |
Total Solar Eclypse
HGG programs, Videon Digital Linux DVR also use this port. |
| 3801 |
udp |
trojan |
not scanned |
Total Eclipse trojan |
| 3804 |
tcp,udp |
iqnet-port |
not scanned |
Harman IQNet Port (IANA official) |
| 3805 |
udp |
games |
not scanned |
Heroes of Might and Magic IV |
| 3812 |
tcp,udp |
neto-wol |
not scanned |
netO WOL Server |
| 3814 |
tcp,udp |
neto-dcs |
not scanned |
netO DCS |
| 3817 |
tcp |
tapeware |
not scanned |
HP Data Protector Express and HP Data Protector Express Single Server Edition are vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the DtbClsLogin function. By sending an overly long string argument to port 3817 TCP, a remote attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges or cause a denial of service.
References: [XFDB-61711], [EDB-23290]
IANA registered for: Yosemite Tech Tapeware |
| 3822 |
tcp,udp |
acp-discovery |
not scanned |
Compute Pool Discovery |
| 3823 |
tcp,udp |
acp-conduit |
not scanned |
Compute Pool Conduit |
| 3824 |
tcp,udp |
acp-policy |
not scanned |
Compute Pool Policy |
| 3825 |
tcp,udp |
ffserver |
not scanned |
Used by RedSeal Networks client/server connection (TCP)
IANA registered for: Antera FlowFusion Process Simulation
|
| 3826 |
tcp,udp |
warmux |
not scanned |
Used by RedSeal Networks client/server connection (TCP)
IANA registered for: WarMUX game server
|
| 3832 |
tcp,udp |
xxnetserver |
not scanned |
IANA registered for xxNETserver |
| 3835 |
tcp,udp |
spectardb |
not scanned |
Used by RedSeal Networks client/server connection (TCP)
IANA registered for: Spectar Database Rights Service |
| 3836 |
tcp,udp |
markem-dcp |
not scanned |
MARKEM NEXTGEN DCP |
| 3837 |
tcp,udp |
mkm-discovery |
not scanned |
MARKEM Auto-Discovery |
| 3840 |
tcp |
games |
not scanned |
Command and Conquer Renegade, Emperor Battle for Dune, Nox (TCP/UDP)
Xwis server also uses port 3840 (TCP/UDP) |
| 3855 |
tcp,udp |
games |
not scanned |
Kohan Immortal Sovereigns |
| 3857 |
tcp,udp |
trap-port |
not scanned |
Trap Port |
| 3858 |
tcp,udp |
trap-port-mom |
not scanned |
Trap Port MOM |
| 3862 |
udp |
games |
not scanned |
F-16 |
| 3863 |
tcp,udp,sctp |
asap |
not scanned |
F-16 Mig 29
asap [RFC5352] (IANA official) |
| 3864 |
tcp,sctp |
asap-tcp-tls |
not scanned |
asap/tls tcp port [RFC5352] (IANA official) |
| 3866 |
tcp,udp |
dzdaemon |
not scanned |
Sun SDViz DZDAEMON Port |
| 3867 |
tcp,udp |
dzoglserver |
not scanned |
Sun SDViz DZOGLSERVER Port |
| 3868 |
tcp,sctp |
diameter |
not scanned |
DIAMETER [RFC3588] (IANA official) |
| 3872 |
tcp |
|
not scanned |
Oracle Management Remote Agent |
| 3874 |
udp |
games |
not scanned |
F-22 Raptor |
| 3875 |
udp |
games |
not scanned |
F-22 Lightning 3 |
| 3880 |
tcp,udp |
igrs |
not scanned |
IANA registered for: IGRS |
| 3887 |
tcp,udp |
ciphire-data |
not scanned |
Ciphire Data Transport |
| 3888 |
tcp,udp |
ciphire-serv |
not scanned |
Ciphire Services |
| 3891 |
tcp |
worm |
not scanned |
W32.Falgna [Symantec-2007-011806-0023-99] (2007.01.18) - a worm that steals system information and opens a back door on the compromised computer allowing a remote attacker to have unauthorized access.
Port is also IANA registered for Oracle RTC-PM port. |
| 3894 |
tcp,udp |
syam-agent |
not scanned |
SyAM Agent Port |
| 3895 |
tcp,udp |
syam-smc |
not scanned |
SyAm SMC Service Port |
| 3896 |
tcp,udp |
sdo-tls |
not scanned |
Simple Distributed Objects over TLS |
| 3897 |
tcp,udp |
sdo-ssh |
not scanned |
Simple Distributed Objects over SSH |
| 3899 |
tcp,udp |
itv-control |
not scanned |
Remote Administrator (TCP)
IANA registered for: ITV Port |
| 3900 |
tcp |
udt_os |
not scanned |
Multiple stack-based buffer overflows in msg_server.exe in SAP NetWeaver ABAP 7.x allow remote attackers to cause a denial of service (crash) and execute arbitrary code via a (1) long parameter value, (2) crafted string size field, or (3) long Parameter Name string in a package with opcode 0x43 and sub opcode 0x4 to TCP port 3900.
References: [CVE-2012-4341] [SECUNIA-49744]
udt_os, IBM UniData UDT OS (IANA official) |
| 3905 |
tcp,udp |
mupdate |
not scanned |
Mailbox Update (MUPDATE) protocol (IANA official) [RFC 3656] |
| 3910 |
tcp,udp |
prnrequest |
not scanned |
Printer Request Port |
| 3911 |
tcp,udp |
prnstatus |
not scanned |
Printer Status Port
Certain HP OfficeJet Pro printers are potentially vulnerable to a Denial of Service when sending a SOAP message to the service on TCP port 3911 that contains a body but no header.
References: [CVE-2023-4694] |
| 3913 |
tcp,udp |
listcrt-port |
not scanned |
ListCREATOR Port |
| 3914 |
tcp,udp |
listcrt-port-2 |
not scanned |
ListCREATOR Port 2 |
| 3920 |
tcp |
applications |
not scanned |
Apple iChat Server |
| 3945 |
tcp |
trojan |
Premium scan |
Delta Remote Access
IANA registered for: EMCADS Server Port (TCP/UDP) |
| 3957 |
tcp,udp |
mqe-broker |
not scanned |
MQEnterprise Broker |
| 3958 |
tcp,udp |
mqe-agent |
not scanned |
MQEnterprise Agent |
| 3960 |
udp |
applications |
not scanned |
Warframe online interaction |
| 3962 |
|
applications |
not scanned |
Warframe online interaction |
| 3970 |
tcp,udp |
lanrevagent |
not scanned |
LANrev Agent |
| 3971 |
tcp,udp |
lanrevserver |
not scanned |
LANrev Server |
| 3972 |
tcp,udp |
iconp |
not scanned |
Backdoor.Win32.Mazben.me / Unauthenticated Open Proxy - the malware listens on random TCP ports like 3515, 7936, 3972. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
References: [MVID-2021-0302]
ict-control Protocol (IANA official) |
| 3973 |
tcp,udp |
progistics |
not scanned |
IANA registered for: ConnectShip Progistics |
| 3974 |
tcp,udp |
xk22 |
not scanned |
Remote Applicant Tracking Service (IANA official) |
| 3978 |
tcp,udp |
secure-cfg-svr |
not scanned |
Cortex Data Lake (Paloaltonetworks) and Panorama Connect use ports 444 and 3978 for logging
Cortex XDR (Paloaltonetworks) uses port 33221 as the default P2P content update distribution port for their security agents
OpenTTD game (masterserver and content service)
IANA registered for: Secured Configuration Server |
| 3979 |
tcp,udp |
smwan |
not scanned |
OpenTTD game
IANA registered for: Smith Micro Wide Area Network Service |
| 3984 |
tcp,udp |
mapper-nodemgr |
not scanned |
MAPPER network node manager |
| 3985 |
tcp,udp |
mapper-mapethd |
not scanned |
MAPPER TCP/IP server |
| 3986 |
tcp,udp |
mapper-ws_ethd |
not scanned |
MAPPER workstation server |
| 3989 |
tcp,udp |
bv-queryengine |
not scanned |
BindView-Query Engine |
| 3990 |
tcp,udp |
bv-is |
not scanned |
BindView-IS |
| 3991 |
tcp,udp |
bv-smcsrv |
not scanned |
BindView-SMCServer |
| 3992 |
tcp,udp |
bv-ds |
not scanned |
BindView-DirectoryServer |
| 3993 |
tcp,udp |
bv-agent |
not scanned |
BindView-Agent |
| 3996 |
tcp,udp |
trojan |
not scanned |
Remote Anything |
| 3997 |
tcp |
trojan |
Premium scan |
Remote Anything |
| 3999 |
tcp |
trojan |
Premium scan |
Remote Anything
Infostealer.Multigame [Symantec-2007-050716-1648-99] (2007.05.07) - trojan horse that steals sensitive information from compromised computer.
Delta Force also uses port 3999 (TCP/UDP).
IANA registered for: Norman distributes scanning service (TCP/UDP) |
| 4000 |
tcp,udp |
trojans |
Members scan |
Trojan.Peacomm [Symantec-2007-011917-1403-99] (2007.01.19) - trojan horse that drops a system driver which injects some payload and hidden threads directly into the services.exe process, using a sophisticated technique. Once infected, it opens a backdoor to download other malicious programs. Uses UDP ports 4000, 7871, 11271
Applications: RemoteAnything, Videon Digital Linux DVR (TCP), Abacast (TCP)
Malware: Connect-Back Backdoor, Psyber Streaming Server trojan, Skydance trojan
Games that use this port: Blizzard Battlenet, Diablo II, Command and Conquer Red Alert (UDP), Warcraft II (UDP), Tiberian Sun, Dune 2000 (UDP)
The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion do not require authentication for connections to certain TCP ports, which allows remote attackers to (1) modify the configuration via a request to the debug service on port 4000 or (2) delete log entries via a request to the log service on port 4001.
References: [CVE-2014-0769]
A vulnerability in multiple ISS products can be exploited to compromise a vulnerable system. The vulnerability is caused due to a boundary error in the PAM (Protocol Analyses Module) component within a routine used for monitoring ICQ server responses. This can be exploited to cause a buffer overflow by sending a specially crafted response packet with a source port of 4000/UDP to the broadcast address of a network with vulnerable systems.
References: [SECUNIA-11073]
OSRAM SYLVANIA Osram Lightify Home before 2016-07-26 allows remote attackers to execute arbitrary commands via TCP port 4000.
References: [CVE-2016-5053], [XFDB-125040]
Moxa EDR-810 is vulnerable to a denial of service, caused by a flaw in the Server Agent functionality. By sending a specially-crafted packet to port 4000, an attacker could exploit this vulnerability to cause the system to crash.
References: [CVE-2017-14438], [XFDB-141667]
Backdoor.Win32.VB.pld / Insecure Transit - the malware listens on TCP port 4000 and has a chat feature "Hnadle-X Pro V1.0 Text Chat". Messages are passed in unencrypted plaintext across the network. Well positioned third-party attackers who can intercept traffic will have the ability to read all communications.
References: [MVID-2021-0247]
The Emerson ROC and FloBoss RTU product lines through 2022-05-02 perform insecure filesystem operations. They utilize the ROC protocol (4000/TCP, 5000/TCP) for communications between a master terminal and RTUs. Opcode 203 of this protocol allows a master terminal to transfer files to and from the flash filesystem and carrying out arbitrary file and directory read, write, and delete operations.
References: [CVE-2022-30264] |
| 4001 |
tcp |
newoak |
Members scan |
NewOak, ICQ Client, CoreOS etcd client communication, Microsoft Ants game
Citrix NetScaler appliance Lights out Management uses ports 4001, 5900, 623 TCP to run a daemon that offers unified configuration management of routing protocols.
OptixPro [Symantec-2004-020615-3137-99] (Backdoor.OptixPro.13.C) - trojan horse that opens a backdoor on TCP port 4001.
The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion do not require authentication for connections to certain TCP ports, which allows remote attackers to (1) modify the configuration via a request to the debug service on port 4000 or (2) delete log entries via a request to the log service on port 4001.
References: [CVE-2014-0769]
A denial-of-service vulnerability exists in the Pixar Renderman IT Display Service 21.6 (0x67). The vulnerability is present in the parsing of a network packet without proper validation of the packet. The data read by the application is not validated, and its use can lead to a null pointer dereference. The IT application is opened by a user and then listens for a connection on port 4001. An attacker can deliver an attack once the application has been opened.
References: [CVE-2018-3840]
A denial-of-service vulnerability exists in the Pixar Renderman IT Display Service 21.6 (0x69). The vulnerability is present in the parsing of a network packet without proper validation of the packet. The data read-in is not validated, and its use can lead to a null pointer dereference. The IT application is opened by a user and then listens for a connection on port 4001. An attacker can deliver an attack once the application has been opened.
References: [CVE-2018-3841]
The Bently Nevada 3700 series of condition monitoring equipment through 2022-04-29 has a maintenance interface on port 4001/TCP with undocumented, hardcoded credentials. An attacker capable of connecting to this interface can thus trivially take over its functionality.
References: [CVE-2022-29953] |
| 4002 |
tcp,udp |
pxc-spvr-ft |
not scanned |
pxc-spvr-ft, mlnet - MLChat P2P chat proxy
Buffer overflow in Durian Web Application Server 3.02 freeware on Windows allows remote attackers to execute arbitrary code via a long string in a crafted packet to TCP port 4002.
References: [CVE-2006-6853], [BID-21808]
A vulnerability has been identified in Opcenter Quality (All versions), SIMATIC PCS neo (All versions < V4.1), SINUMERIK Integrate RunMyHMI /Automotive (All versions), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 7), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 3). The affected application contains an out of bounds write past the end of an allocated buffer when handling specific requests on port 4002/tcp and 4004/tcp. This could allow an attacker to crash the application. The corresponding service is auto-restarted after the crash.
References: [CVE-2023-46284]
A vulnerability has been identified in Opcenter Quality (All versions), SIMATIC PCS neo (All versions < V4.1), SINUMERIK Integrate RunMyHMI /Automotive (All versions), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 7), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 3). The affected application contains an out of bounds write past the end of an allocated buffer when handling specific requests on port 4002/tcp. This could allow an attacker to crash the application. The corresponding service is auto-restarted after the crash.
References: [CVE-2023-46283] |
| 4003 |
tcp,udp |
pxc-splr-ft |
not scanned |
W32.Spybot.AVEO [Symantec-2010-022312-1929-99] (2010.02.23) - a worm that attempts to exploit a number of vulnerabilities in order to spread. It may also spread through network shares protected by weak passwords.
Port is also IANA registered for pxc-splr-ft |
| 4004 |
tcp,udp |
pxc-roid |
not scanned |
pxc-roid, PPLive
Backdoor.Win32.Jokerdoor / Remote Stack Buffer Overflow - the malware listens on TCP port 4004 and drops an randomly named executables E.g. acrorqwjlle.exe etc. Third party attackers who can reach an infected system can send a junk payload and trigger a classic stack buffer overflow overwriting the ECX, EIP registers and structured exception handler (SEH). When connecting you will get a "connected" server response, then we supply our payload as a parameter prefixed by "DOS".
References: [MVID-2021-0434]
A vulnerability has been identified in Opcenter Quality (All versions), SIMATIC PCS neo (All versions < V4.1), SINUMERIK Integrate RunMyHMI /Automotive (All versions), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 7), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 3). The affected application contains an improper input validation vulnerability that could allow an attacker to bring the service into a Denial-of-Service state by sending a specifically crafted message to 4004/tcp. The corresponding service is auto-restarted after the crash is detected by a watchdog.
References: [CVE-2023-46285]
A vulnerability has been identified in Opcenter Quality (All versions), SIMATIC PCS neo (All versions < V4.1), SINUMERIK Integrate RunMyHMI /Automotive (All versions), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 7), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 3). The affected application contains an out of bounds write past the end of an allocated buffer when handling specific requests on port 4002/tcp and 4004/tcp. This could allow an attacker to crash the application. The corresponding service is auto-restarted after the crash.
References: [CVE-2023-46284] |
| 4005 |
tcp,udp |
pxc-pin |
not scanned |
Nox, Command and Conquer Renegade (TCP), Emperor Battle for Dune (TCP) also use this port.
Xwis server also uses this port.
Port is IANA assigned for pxc-pin. |
| 4006 |
tcp,udp |
pxc-spvr |
not scanned |
pxc-spvr |
| 4007 |
tcp,udp |
pxc-splr |
not scanned |
pxc-splr, PrintBuzzer printer monitoring socket server |
| 4008 |
tcp,udp |
netcheque |
not scanned |
Local Server 1.0.9 has a Buffer Overflow via crafted data on Port 4008.
References: [CVE-2018-18756]
IANA registered for: NetCheque accounting |
| 4010 |
udp |
games |
not scanned |
Command and Conquer Gold, Dune 2000 |
| 4011 |
udp |
games |
not scanned |
Command and Conquer Gold |
| 4012 |
udp |
games |
not scanned |
Command and Conquer Gold |
| 4013 |
udp |
games |
not scanned |
Command and Conquer Gold |
| 4014 |
udp |
games |
not scanned |
Command and Conquer Gold
IANA registered for: TAICLOCK (TCP/UDP) |
| 4015 |
tcp,udp |
talarian-mcast1 |
not scanned |
Talarian Mcast
Command and Conquer Gold also uses this port (UDP). |
| 4016 |
tcp,udp |
talarian-mcast2 |
not scanned |
Command and Conquer Gold uses this port (UDP).
The port is IANA registered for Talarian Mcast. |
| 4017 |
tcp,udp |
talarian-mcast3 |
not scanned |
Talarian Mcast |
| 4018 |
tcp,udp |
talarian-mcast4 |
not scanned |
Talarian Mcast |
| 4019 |
tcp,udp |
talarian-mcast5 |
not scanned |
Talarian Mcast |
| 4020 |
tcp,udp |
applications |
not scanned |
GlobalChat client/server, used to be called ichat |
| 4022 |
tcp |
microsoft |
not scanned |
Microsoft SQL Server Service Broker - commonly used port, the conventional configuration used in Books Online examples. |
| 4030 |
tcp,udp |
jdmn-port |
not scanned |
IANA registered for: Accell/JSP Daemon Port |
| 4032 |
tcp,udp |
veritas |
not scanned |
Port used by Veritas PBX (Private Branch Exchange) Service
Veritas uses the following ports:
1556 - Veritas PBX Service
2821 - VxSS Authentication Service
4032 - VxSS Authorization Service
13724 - Veritas NetBackup Network Service
13783 - nbatd
13722 - nbazd
|
| 4035 |
tcp,udp |
wap-push-http |
not scanned |
WAP Push OTA-HTTP port
IBM Rational Developer for System z Remote System Explorer Daemon also uses port 4035 (TCP) |
| 4036 |
tcp,udp |
wap-push-https |
not scanned |
WAP Push OTA-HTTP secure |
| 4040 |
tcp |
applications |
not scanned |
Subsonic |
| 4044 |
tcp,udp |
ltp |
not scanned |
This vulnerability allows network-adjacent attackers to execute arbitrary commands on affected installations of D-Link DIR-2150 4.0.1 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Dreambox plugin for the xupnpd service, which listens on TCP port 4044 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the router. Was ZDI-CAN-15935.
References: [CVE-2022-40720]
This vulnerability allows network-adjacent attackers to execute arbitrary commands on affected installations of D-Link DIR-2150 4.0.1 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the xupnpd_generic.lua plugin for the xupnpd service, which listens on TCP port 4044 by default. When parsing the feed parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15906.
References: [CVE-2022-40719]
Location Tracking Protocol (IANA official) |
Vulnerabilities listed: 100 (some use multiple ports)
|
