Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 4987 |
tcp,udp |
smar-se-port1 |
not scanned |
SMAR Ethernet Port 1, maybe-veritas |
| 4988 |
tcp,udp |
smar-se-port2 |
not scanned |
SMAR Ethernet Port 2 |
| 4990 |
tcp,udp |
applications |
not scanned |
Apple IPlay uses ports 4990-4999 |
| 4993 |
tcp,udp |
games |
not scanned |
Civilization II Gold
Home FTP Server web Interface Default Port |
| 4995 |
tcp |
games |
not scanned |
Command and Conquer Renegade, Emperor Battle for Dune, Nox (TCP/UDP)
Xwis server also uses port 4995 (TCP/UDP) |
| 4999 |
tcp,udp |
trojans |
not scanned |
Backdoor.Ripjac [Symantec-2002-112118-0605-99] (2002.11.21) - a backdoor trojan that allows a hacker to gain access to the infected computer. The presence of the file Synchost.exe is an indication of a possible infection. By default, the trojan opens port 4999 to allow the hacker to remotely control the infected computer.
Siemens SINEMA Server before 12 SP1 allows remote attackers to cause a denial of service (web-interface outage) via crafted HTTP requests to port 4999 or 80.
References: [CVE-2014-2733]
Siemens SIMATIC WinCC OA before 3.12 P002 January allows remote attackers to cause a denial of service (monitoring-service outage) via malformed HTTP requests to port 4999.
References: [CVE-2014-1697], [CVE-2014-1698], [CVE-2014-1699], [BID-65349], [OSVDB-102811], [SECUNIA-56651]
Multiple directory traversal vulnerabilities in the integrated web server in Siemens SINEMA Server before 12 SP1 allow remote attackers to access arbitrary files via HTTP traffic to port (1) 4999 or (2) 80.
References: [CVE-2014-2732]
Multiple unspecified vulnerabilities in the integrated web server in Siemens SINEMA Server before 12 SP1 allow remote attackers to execute arbitrary code via HTTP traffic to port (1) 4999 or (2) 80.
References: [CVE-2014-2731], [XFDB-92653], [BID-66968] |
| 5000 |
tcp,udp |
UPnP |
Basic scan |
Universal Plug and Play (UPnP) uses two ports, 5000 TCP and 1900 UDP. UPnP is a set of networking protocols that allows for networked and mobile devices to seamlessly discover each others' presence on the network and communicate.
3CX Phone System Management Console
AT&T U-verse public, educational, and government access (PEG) streaming over HTTP uses port 5000 TCP
Google Assistant webserver docker container commonly listens on TCP ports 5000 and 9324.
Cowrie-Logviewer, a python script to visualize the logs of the cowrie honeypot, uses 5000 as default
Docker Registry server
Dwyco Video Conferencing
File Station, Audio Station
Flask Development Webserver
Heroku console access
ICUII Client v.4
Synology Management Console uses port 5000 TCP to access DSM
Yahoo Messenger Chat
Cirrato printing system uses TCP ports 5000 and 5005
AWS Elastic Beanstalk Proxy server
League of Legends uses ports 5000-5500 UDP
Trojan Horses that use port 5000: Back Door Setup, Blazer5, Bubbel, ICKiller, Ra1d, Sockets des Troie, Socket 23
Trojan.Webus.B [Symantec-2004-100519-0947-99] - DDoS attack trojan, kills antivirus services, 10.05.2004. Uses port 5000/tcp for a DDoS attack.
W32.Mytob.HH@mm [Symantec-2005-071116-2302-99] - a mass-mailing worm with backdoor capabilities. Connects to an IRC server and listens for remote commands on port 26418/tcp. Also opens a backdoor on port 5000/tcp.
UPnP discovery/SSDP, is a service that runs by default on Windows, and there are multiple security vulnerabilities associated with it, especially on older Windows versions. In 2001, Microsoft released 60 updates to Windows related to UPnP vulnerabilities.
MS Security Bulletin [MS01-054]
MS Security Bulletin [MS01-059]
Stack-based buffer overflow in Hospira Communication Engine (CE) before 1.2 in LifeCare PCA Infusion System 5.07, Plum A+ Infusion System 13.40, and Plum A+3 Infusion System 13.40 allows remote attackers to cause a denial of service or possibly have unspecified other impact via traffic on TCP port 5000.
References: [CVE-2015-7909], [XFDB-110113]
OpenLambda 2019-09-10 allows DNS rebinding attacks against the OL server for the REST API on TCP port 5000.
References: [CVE-2019-20329]
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
References: [CVE-2020-17475], [XFDB-186861]
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R6700 V1.0.4.84_10.0.58 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the UPnP service, which listens on TCP port 5000 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9643.
References: [CVE-2020-10924], [CVE-2020-10923]
A denial of service vulnerability has been identified in Go2Call. The problem is that Go2Call doesn't handle long bogus UDP packets. This allows malicious people to crash the application by sending a 1500 byte long packet to port 5000/udp.
References: [SECUNIA-9673]
SenNet Optimal DataLogger appliance, Solar DataLogger appliance and Multitask Meter could allow a remote attacker to bypass security restrictions, caused by no authentication mechanism implemented for the Telnet service. By connecting to Telnet service using TCP port 5000, an attacker could exploit this vulnerability to bypass access restrictions to connect to the shell and issue commands.
References: [XFDB-124381]
There is no CSRF protection in Liman application. With a little help of social engineering (like sending a link via email/chat) an attacker may force the victim to click on a malicious link, with the purpose of manipulating his current account information, or changing entirely his password. Download the application, make an account and login inside the panel under : http://127.0.0.1:5000 expose the docker port on 5000.
References: [EDB-48869]
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6400v2 1.0.4.106_10.0.80 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UPnP service, which listens on TCP port 5000 by default. When parsing the uuid request header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-14110.
References: [CVE-2021-34991]
Backdoor.Win32.BNLite / Remote Heap Based Buffer Overflow - the malware listens on TCP port 5000. Third party attackers who can reach the system can send a specially crafted payload to trigger a heap based buffer overflow overwriting the ECX, EDX registers and corrupting memory located on the heap.
References: [MVID-2021-0407]
Backdoor.Win32.BNLite / Remote Stack Buffer Overflow - BioNet Lite Server 4.0a listens on TCP port 5000. Third-party attackers who can reach an infected system can trigger a buffer overflow overwriting the ECX, EDX and AX (16-bit) registers by sending a long junk payload.
References: [MVID-2022-0502]
The Emerson ROC and FloBoss RTU product lines through 2022-05-02 perform insecure filesystem operations. They utilize the ROC protocol (4000/TCP, 5000/TCP) for communications between a master terminal and RTUs. Opcode 203 of this protocol allows a master terminal to transfer files to and from the flash filesystem and carrying out arbitrary file and directory read, write, and delete operations.
References: [CVE-2022-30264] |
| 5001 |
tcp |
applications |
Members scan |
Yahoo Messenger Chat, Evertech (TCP/UDP), SlingBox (TCP/UDP), commplex-link, Iperf (Tool for measuring TCP and UDP bandwidth performance) (TCP/UDP), Synology Inc. Secured Management Console, File Station (TCP/UDP), Audio Station (TCP/UDP)
Malicious services using this port:
Back Door setup trojan, Sockets des Troie trojan
Ipdsserver.exe in Intermate WinIPDS 3.3 G52-33-021 allows remote attackers to cause a denial of service (CPU consumption) via short packets on TCP port 5001 with the 3, 5, 7, 13, 14, or 15 packet types.
References: [CVE-2008-0791], [BID-27757]
Unspecified vulnerability in HP LoadRunner 9.52 allows remote attackers to execute arbitrary code via network traffic to TCP port 5001 or 5002, related to the HttpTunnel feature.
References: [CVE-2011-0272] [BID-45792] [SECUNIA-42898] [OSVDB-70432]
Xen Mobile through 10.8.0 includes a service listening on port 5001 within its firewall that accepts unauthenticated input. If this service is supplied with raw serialised Java objects, it deserialises them back into Java objects in memory, giving rise to a remote code execution vulnerability. NOTE: the vendor disputes that this is a vulnerability, stating it is "already mitigated by the internal firewall that limits access to configuration services to localhost."
References: [CVE-2018-18013]
In the 3CX Phone System 15.5.3554.1, the Management Console typically listens to port 5001 and is prone to a directory traversal attack: "/api/RecordingList/DownloadRecord?file=" and "/api/SupportInfo?file=" are the vulnerable parameters. An attacker must be authenticated to exploit this issue to access sensitive information to aid in subsequent attacks.
References: [CVE-2017-15359], [EDB-42991]
Forcepoint User ID (FUID) server versions up to 1.2 have a remote arbitrary file upload vulnerability on TCP port 5001. Successful exploitation of this vulnerability may lead to remote code execution. To fix this vulnerability, upgrade to FUID version 1.3 or higher. To prevent the vulnerability on FUID versions 1.2 and below, apply local firewall rules on the FUID server to disable all external access to port TCP/5001. FUID requires this port only for local connections through the loopback interface.
References: [CVE-2019-6139]
A conference management system of ZTE is impacted by a command execution vulnerability. Since the soapmonitor's java object service is enabled by default, the attacker could exploit this vulnerability to execute arbitrary commands by sending a deserialized payload to port 5001.
References: [CVE-2021-21741]
The Motorola MOSCAD and ACE line of RTUs through 2022-05-02 omit an authentication requirement. They feature IP Gateway modules which allow for interfacing between Motorola Data Link Communication (MDLC) networks (potentially over a variety of serial, RF and/or Ethernet links) and TCP/IP networks. Communication with RTUs behind the gateway is done by means of the proprietary IPGW protocol (5001/TCP). This protocol does not have any authentication features, allowing any attacker capable of communicating with the port in question to invoke (a subset of) desired functionality.
References: [CVE-2022-30276] |
| 5002 |
tcp |
trojans |
Members scan |
SOLICARD ARX
W32.Spybot.IVQ [Symantec-2005-012715-3315-99] (2005.01.26) - Worm with distributed denial of service and backdoor capabilities. Spreads through network shares, MySQL (port 3306)/MS SQL (port 1433) servers with weak passwords, and by exploiting system vulnerabilities (ports 135, 445). Opens a backdoor on one or more of these ports: 1927, 1930, 5002, 5003
SouthWest is vulnerable to a denial of service attack. A remote attacker could send a specially-crafted HTTP request to the HTTP server listening on port 5002 to cause the service to crash. The service must be restarted to regain normal functionality.
References: [BID-4362], [CVE-2002-0496]
Unspecified vulnerability in HP LoadRunner 9.52 allows remote attackers to execute arbitrary code via network traffic to TCP port 5001 or 5002, related to the HttpTunnel feature.
References: [CVE-2011-0272] [BID-45792] [SECUNIA-42898] [OSVDB-70432]
An issue was discovered in Mitsubishi Electric Automation MELSEC-Q series Ethernet interface modules QJ71E71-100, all versions, QJ71E71-B5, all versions, and QJ71E71-B2, all versions. The affected Ethernet interface module is connected to a MELSEC-Q PLC, which may allow a remote attacker to connect to the PLC via Port 5002/TCP and cause a denial of service, requiring the PLC to be reset to resume operation. This is caused by an Unrestricted Externally Accessible Lock.
References: [CVE-2016-8368], [BID-94632]
The network enabled distribution of Kura before 2.1.0 takes control over the device's firewall setup but does not allow IPv6 firewall rules to be configured. Still the Equinox console port 5002 is left open, allowing to log into Kura without any user credentials over unencrypted telnet and executing commands using the Equinox "exec" command. As the process is running as "root" full control over the device can be acquired. IPv6 is also left in auto-configuration mode, accepting router advertisements automatically and assigns a MAC address based IPv6 address.
References: [CVE-2017-7649]
Some other trojans also use this port: cd00r, Shaft, Linux Rootkit IV (4) |
| 5002 |
udp |
hdhomerun |
not scanned |
Drobo Dashboard's discovery uses port 5002 UDP. It broadcasts periodically looking for Drobo NAS devices to manage.
HDHomeRun DVR from SiliconDust uses this port. HDHomeRun can be administered over the Ethernet link to tune channels, broadcast an MPEG stream, etc. The device can be viewed/controlled through a range of Linux/Windows DVR/PVR programs. List of all used ports:
Discovery Protocol - UDP 65001
Control Protocol - TCP 65001
Video stream - UDP 5002 and UDP 5004
LIRC for IR on HD Homerun - UDP 5000
Cisco 11000 Series Content Services Switches (CSS) running WebNS 5.0(x) before 05.0(04.07)S, and 6.10(x) before 06.10(02.05)S allow remote attackers to cause a denial of service (device reset) via a malformed packet to UDP port 5002.
References: [CVE-2004-0352], [BID-9806] |
| 5003 |
tcp |
trojans |
Members scan |
W32.Spybot.IVQ [Symantec-2005-012715-3315-99] (2005.01.26) - Worm with distributed denial of service and backdoor capabilities. Spreads through network shares, MySQL (port 3306)/MS SQL (port 1433) servers with weak passwords, and by exploiting system vulnerabilities (ports 135, 445). Opens a backdoor on one or more of these ports: 1927, 1930, 5002, 5003
Polycom MGC 25 allows remote attackers to cause a denial of service (crash) via a large number of "user" requests to the control port 5003, as demonstrated using the blast TCP stress tester. [CVE-2003-0556]
IANA registered for: FileMaker, Inc. - Proprietary transport |
| 5003 |
udp |
watchguard |
not scanned |
WatchGuard WebBlocker Server uses port 5003 UDP to interact with Firebox devices.
IANA registered for: FileMaker, Inc. - Proprietary name binding |
| 5004 |
udp |
hdhomerun |
not scanned |
Port used by Real Time Streaming Protocol (RTSP) for Microsoft Windows Media streaming services.
RTSP uses the following ports:
554 TCP - used for accepting incoming RTSP client connections and for delivering data packets to clients that are streaming by using RTSPT.
5004 UDP - used for delivering data packets to clients that are streaming by using RTSPU.
5005 UDP - used for receiving packet loss information from clients and providing synchronization information to clients that are streaming by using RTSPU.
See also: port 1755 - Microsoft Media Server (MMS) protocol
HDHomeRun DVR from SiliconDust uses port 5004 UDP. HDHomeRun can be administered over the Ethernet link to tune channels, broadcast an MPEG stream, etc. The device can be viewed/controlled through a range of Linux/Windows DVR/PVR programs.
List of all HDHomeRun used ports:
Discovery Protocol - UDP 65001
Control Protocol - TCP 65001
Video stream - UDP 5002 and UDP 5004
LIRC for IR on HD Homerun - UDP 5000
Cisco Spark application (Cisco Webex Teams services) uses these ports:
443, 8443 TCP - signaling
5004 TCP/UDP - media
33434 TCP/UDP - media port
Note: older versions of Cisco Webex Teams services may use these additional ports: 53, 123, 444 TCP and 33434-33598 UDP (SIP calls)
ShoreTel IP Telephony system uses the following ports
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag) |
| 5004 |
tcp |
webex |
not scanned |
Cisco Spark application (Cisco Webex Teams services) uses these ports:
443, 8443 TCP - signaling
5004 TCP/UDP - media
33434 TCP/UDP - media port
Note: older versions of Cisco Webex Teams services may use these additional ports: 53, 123, 444 TCP and 33434-33598 UDP (SIP calls) |
| 5005 |
udp |
ms-rtsp |
not scanned |
Port used by Real Time Streaming Protocol (RTSP) for Microsoft Windows Media streaming services.
RTSP uses the following ports:
554 TCP - used for accepting incoming RTSP client connections and for delivering data packets to clients that are streaming by using RTSPT.
5004 UDP - used for delivering data packets to clients that are streaming by using RTSPU.
5005 UDP - used for receiving packet loss information from clients and providing synchronization information to clients that are streaming by using RTSPU.
See also: port 1755 - Microsoft Media Server (MMS) protocol |
| 5005 |
tcp |
apps |
Premium scan |
Aladino
Cirrato printing system uses TCP ports 5000 and 5005
Stack-based buffer overflow in the TMregChange function in TMReg.dll in Trend Micro ServerProtect before 5.58 Security Patch 4 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 5005.
References: [CVE-2007-4731]
Trend Micro ServerProtect EarthAgent for Windows Management Console 5.58 and possibly earlier versions, when running with Trend Micro Control Manager 2.5 and 3.0, and Damage Cleanup Server 1.1, allows remote attackers to cause a denial of service (CPU consumption) via a flood of crafted packets with a certain "magic value" to port 5005, which also leads to a memory leak.
References: [CVE-2005-1928] [BID-15868] [OSVDB-21773] [SECUNIA-18038] |
| 5007 |
tcp,udp |
linuxcnc |
not scanned |
LinuxCNC default port (TCP)
Yahoo Voice Chat (UDP)
Palo Alto Networks - User-ID agent (TCP)
Mitsubishi Electric MELSEC-Q Series PLCs is vulnerable to a denial of service. By sending specific bytes over Port 5007, a remote attacker could exploit this vulnerability to exhaust all available resources.
References: [CVE-2019-6535], [XFDB-156259]
IANA registered for: WSM server SSL |
| 5009 |
tcp |
applications |
not scanned |
Apple AirPort Admin Utility, AirPort Express Assistant, Xwis (TCP/UDP) |
| 5010 |
tcp,udp |
yahoo |
Premium scan |
Yahoo Messenger Voice Chat
Also used by Avaya ISPI Control protocol. Used to communicate via CCMS (Control Channel Message Set) between an Avaya PBX, such as the S8300 or S8700 Media Servers, and an IPSI (IP Server Interface).
Siemens Openstage and Gigaset phones use the following ports:
389/tcp LDAP
636/tcp LDAPS
5010/tcp - RTP
5060/tcp - SIP gateway, backup proxy
8085/tcp - DLS
18443/TCP and 18444/TCP - provisioning over TLS (HTTPS)
Applications/games that use this port: Ultima Online, Defcon, Ojo
Trojans that use this port: Solo (tcp), Team Asylum (tcp)
A vulnerability has been identified in SPPA-T3000 MS3000 Migration Server (All versions). An attacker with network access to the MS3000 Server could cause a Denial-of-Service condition and potentially gain remote code execution by sending specifically crafted packets to 5010/tcp. This vulnerability is independent from CVE-2019-18323, CVE-2019-18324, CVE-2019-18325, CVE-2019-18326, CVE-2019-18327, CVE-2019-18328, and CVE-2019-18329. Please note that an attacker needs to have network access to the MS3000 in order to exploit this vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known.
References: [CVE-2019-18330], [CVE-2019-18323], [CVE-2019-18324], [CVE-2019-18325], [CVE-2019-18326], [CVE-2019-18327], [CVE-2019-18328], [CVE-2019-18329], [CVE-2019-18294], [CVE-2019-18298], [XFDB-173171], [XFDB-173172]
Anviz access control devices could allow a remote attacker to obtain sensitive information, caused by improper authentication validation. By sending a direct request to port tcp/5010, an attacker could exploit this vulnerability to obtain user credentials, and use this information to launch further attacks against the affected system.
References: [CVE-2019-12388], [CVE-2019-12389], [CVE-2019-12390], [XFDB-172401], [XFDB-172402], [XFDB-172403]
IANA registered for: TelepathStart |
| 5011 |
tcp |
telelpathattack |
Premium scan |
Trojans using this port: Peanut Brittle, modified, One of the Last Trojans (OOTLT)
Applications/games using this port: Defcon (UDP)
IBM/Tivoli OPC Tracker Agent version 2 release 1 allows remote attackers to cause a denial of service (resource exhaustion) via malformed data to the localtracker client port (5011), which prevents the connection from being closed properly.
References: [CVE-1999-1404]
IANA registered for: TelepathAttack |
| 5014 |
udp |
onpsocket |
not scanned |
Overlay Network Protocol |
| 5015 |
tcp |
fmwp |
not scanned |
FileMaker, Inc. - Web publishing |
| 5017 |
tcp |
applications |
Premium scan |
Applications using this port: Astronomical Image Processing System (AIPS), Ojo (UDP)
Malicious services using this port: Win32-Pakes-AKM, WORM_NUWAR |
| 5019 |
tcp |
applications |
not scanned |
Untrusted search path and argument injection vulnerability in the VersantD service in Versant Object Database 7.0.1.3 and earlier, as used in Borland CaliberRM and probably other products, allows remote attackers to execute arbitrary commands via a request to TCP port 5019 with a modified VERSANT_ROOT field.
References: [CVE-2008-1319], [BID-28097] |
| 5020 |
tcp,udp |
zenginkyo-1 |
not scanned |
zenginkyo-1 |
| 5021 |
tcp,udp |
applications |
not scanned |
zenginkyo-2, LocationFree |
| 5024 |
tcp,udp |
scpi-telnet |
not scanned |
SCPI-TELNET (IANA official) |
| 5025 |
tcp |
trojan |
Premium scan |
WM Remote KeyLogger
SCPI-RAW (TCP/UDP)(IANA official) |
| 5028 |
tcp |
qvr |
not scanned |
Quiqum Virtual Relais |
| 5029 |
tcp,udp |
infobright |
not scanned |
Infobright Database Server
Sonic Robo Blast 2 also uses port 5029 (UDP), developer: Sonic Team Jr |
| 5031 |
tcp |
trojan |
Premium scan |
NetMetropolitan 1.0, NetMetropolitan 1.04 trojan horse
AVM CAPI-over-TCP (ISDN over Ethernet tunneling) uses port 5031 (TCP/UDP) |
| 5031 |
udp |
dmp |
not scanned |
Direct Message Protocol |
| 5032 |
tcp |
trojan |
Premium scan |
NetMetropolitan 1.04
IANA registered for: SignaCert Enterprise Trust Server Agent |
| 5033 |
tcp |
trojan |
Premium scan |
NetMetro
Janstor Secure Data (IANA official) |
| 5034 |
|
jtnetd-status |
not scanned |
Janstor Status (IANA official) |
| 5037 |
tcp |
applications |
not scanned |
Android ADB server |
| 5038 |
tcp |
applications |
not scanned |
Magic Leap MLDB server |
| 5041 |
tcp |
lync |
not scanned |
Microsoft Lync server uses these ports:
444, 445, 448, 881, 5041, 5060 - 5087, 8404 TCP
80, 135, 443, 4443, 8060, 8061, 8080 TCP - standard ports and HTTP(s) traffic
1434 UDP - SQL
49152-57500 TCP/UDP - media ports |
| 5044 |
tcp,udp |
lxi-evntsvc |
not scanned |
Standard port in Filebeats/Logstash implementation of Lumberjack protocol.
IANA registered for: LXI Event Service |
| 5045 |
tcp |
osp |
not scanned |
Open Settlement Protocol
McAfee Remote Desktop 3.0 and earlier allows remote attackers to cause a denial of service (crash) via a large number of packets to port 5045.
References: [CVE-2001-0612] [BID-2726] [OSVDB-6288] |
| 5046 |
udp |
vpm-udp |
not scanned |
Vishay PM UDP Service |
| 5047 |
udp |
iscape |
not scanned |
iSCAPE Data Broadcasting |
| 5048 |
tcp |
texai |
not scanned |
Texai Message Service |
| 5050 |
tcp |
trojans |
Premium scan |
Yahoo Messenger uses this port.
BT Communicator uses ports 5050-5070 (TCP/UDP).
EOSCoreScada.exe in C3-ilex EOScada before 11.0.19.2 allows remote attackers to cause a denial of service (daemon restart) by sending data to TCP port (1) 5050 or (2) 24004.
References: [CVE-2012-1810]
R0xr4t [Symantec-2002-082915-1621-99], a.k.a. RoxRat backdoor, BD R0xr4t 1.0. Uses ports 5050,50551,50552,60551,60552. |
| 5050 |
udp |
applications |
not scanned |
Saia Burgess Controls (SBC) PCD through 2022-05-06 uses a Broken or Risky Cryptographic Algorithm. According to FSCT-2022-0063, there is a Saia Burgess Controls (SBC) PCD S-Bus weak credential hashing scheme issue. The affected components are characterized as: S-Bus (5050/UDP) authentication. The potential impact is: Authentication bypass. The Saia Burgess Controls (SBC) PCD controllers utilize the S-Bus protocol (5050/UDP) for a variety of engineering purposes. It is possible to configure a password in order to restrict access to sensitive engineering functionality. Authentication is done by using the S-Bus 'write byte' message to a specific address and supplying a hashed version of the password. The hashing algorithm used is based on CRC-16 and as such not cryptographically secure. An insecure hashing algorithm is used. An attacker capable of passively observing traffic can intercept the hashed credentials and trivially find collisions allowing for authentication without having to bruteforce a keyspace defined by the actual strength of the password. This allows the attacker access to sensitive engineering functionality such as uploading/downloading control logic and manipulating controller configuration.
References: [CVE-2022-30320] |
| 5051 |
tcp,udp |
ita-agent |
not scanned |
ITA Agent, Symantec Intruder Alert, Orbit Downloader (P2P) |
| 5053 |
tcp |
rlm |
not scanned |
DNS over HTTPS (used by Cloudflared)
RLM License Server [Matt_Christiano_2] (IANA official)
Multiple HP OpenView applications are vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the OVTrace service. By sending a specially-crafted request on port 5053 TCP, a remote attacker could overflow a buffer and execute arbitrary code on the system with root or SYSTEM privileges.
References: [XFDB-35928] |
| 5053 |
udp |
rlm-disc |
not scanned |
RLM Discovery Server [Reprise_Software_Inc] (IANA official) |
| 5054 |
tcp |
rlm-admin |
not scanned |
** DISPUTED ** An issue was discovered in Reprise License Manager (RLM) through 12.2BL2. Attackers can use the web interface to read and write data to any file on disk (as long as rlm.exe has access to it) via /goform/edit_lf_process with file content in the lfdata parameter and a pathname in the lf parameter. By default, the web interface is on port 5054, and does not require authentication. NOTE: the vendor has stated "We do not consider this a vulnerability."
References: [CVE-2018-15573]
IANA registered for: RLM administrative interface
|
| 5056 |
tcp,udp |
intecom-ps1 |
not scanned |
Intecom Pointspan 1 |
| 5057 |
tcp,udp |
intecom-ps2 |
not scanned |
Intecom Pointspan 2 |
| 5058 |
udp |
locus-disc |
not scanned |
Locus Discovery |
| 5060 |
tcp,udp |
sip |
Basic scan |
Session Initiation Protocol (SIP) (official) - SIP VoIP phones and providers use this port. Asterisk server, X-ten Lite/Pro, Ooma, Vonage (ports 5060,5061,10000-20000), Apple iChat, iTalkBB, Motorola Ojo, OpenWengo, TalkSwitch, IConnectHere, Lingo VoIP (ports 5060-5065), Majicjack (ports 5060, 5070)
Microsoft Lync server uses these ports:
444, 445, 448, 881, 5041, 5060 - 5087, 8404 TCP
80, 135, 443, 4443, 8060, 8061, 8080 TCP - standard ports and HTTP(s) traffic
1434 UDP - SQL
49152-57500 TCP/UDP - media ports
Siemens Openstage and Gigaset phones use the following ports:
389/tcp LDAP
636/tcp LDAPS
5010/tcp - RTP
5060/tcp - SIP gateway, backup proxy
8085/tcp - DLS
18443/TCP and 18444/TCP - provisioning over TLS (HTTPS)
Memory leak in the NAT implementation in Cisco IOS 12.1 through 12.4 and 15.0 through 15.1, and IOS XE 3.1.xSG, allows remote attackers to cause a denial of service (memory consumption or device reload) by sending crafted SIP packets to UDP port 5060, aka Bug ID CSCtj04672.
References: [CVE-2011-3280]
The provider-edge MPLS NAT implementation in Cisco IOS 12.1 through 12.4 and 15.0 through 15.1, and IOS XE 3.1.xSG, allows remote attackers to cause a denial of service (device reload) via a malformed SIP packet to UDP port 5060, aka Bug ID CSCti98219.
References: [CVE-2011-3279]
Unspecified vulnerability in the NAT implementation in Cisco IOS 12.1 through 12.4 and 15.0 through 15.1, and IOS XE 3.1.xSG, allows remote attackers to cause a denial of service (device reload) by sending crafted SIP packets to UDP port 5060, aka Bug ID CSCti48483.
References: [CVE-2011-3278]
Unspecified vulnerability in the NAT implementation in Cisco IOS 12.1 through 12.4 and 15.0 through 15.1, and IOS XE 3.1.xSG, allows remote attackers to cause a denial of service (device reload or hang) by sending crafted SIP packets to TCP port 5060, aka Bug ID CSCso02147.
References: [CVE-2011-3276], [BID-49822]
Unspecified vulnerability in Cisco TelePresence C Series Endpoints, E/EX Personal Video units, and MXP Series Codecs, when using software versions before TC 4.0.0 or F9.1, allows remote attackers to cause a denial of service (crash) via a crafted SIP packet to port 5060 or 5061, aka Bug ID CSCtq46500.
References: [CVE-2011-2577] [BID-49392]
Siemens C450 IP and C475 IP VoIP devices allow remote attackers to cause a denial of service (disconnected calls and device reboot) via a crafted SIP packet to UDP port 5060.
References: [CVE-2008-7065] [BID-32451] [SECUNIA-32827] [OSVDB-50274]
The Grandstream HT-488 0.1 allows remote attackers to cause a denial of service (device crash) via a flood of fragmented packets to port 5060.
References: [CVE-2007-5789], [BID-26349]
Memory leak in Cisco Unified Communications Manager IM and Presence Service before 8.6(5)SU1 and 9.x before 9.1(2), and Cisco Unified Presence, allows remote attackers to cause a denial of service (memory and CPU consumption) by making many TCP connections to port (1) 5060 or (2) 5061, aka Bug ID CSCud84959.
References: [CVE-2013-3453]
Cisco Unified Communications Manager (Unified CM) 8.5(x) and 8.6(x) before 8.6(2a)su3 and 9.x before 9.1(1) does not properly restrict the rate of SIP packets, which allows remote attackers to cause a denial of service (memory and CPU consumption, and service disruption) via a flood of UDP packets to port 5060, aka Bug ID CSCub35869.
References: [CVE-2013-3461]
Cisco TelePresence Video Communication Server is vulnerable to a denial of service, caused by the improper handling of messages by the Session Initiation Protocol (SIP) module. By sending a specially-crafted Session Description Protocol (SDP) message to UDP and TCP port 5060, a remote attacker could exploit this vulnerability to cause the device to reload.
References: [CVE-2014-0662], [BID-65076], [XFDB-90621]
innovaphone is vulnerable to a denial of service, caused by improper bounds checking by protocol SIP/UDP. By sending a specially-crafted SIP request to the open 5060/UDP port, an remote attacker could exploit this vulnerability to cause the VoIP phone to crash and restart.
References: [XFDB-111764]
A vulnerability in the Network Address Translation (NAT) Session Initiation Protocol (SIP) Application Layer Gateway (ALG) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to improper processing of SIP packets in transit while NAT is performed on an affected device. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted SIP packets via UDP port 5060 through an affected device that is performing NAT for SIP packets. A successful exploit could allow an attacker to cause the device to reload, resulting in a denial of service (DoS) condition.
References: [CVE-2018-0476], [BID-105419]
Polycom VVX 500/601 devices could allow a remote attacker to obtain sensitive information, caused by a flaw in the SIP service. By sending a specially-crafted request to TCP port 5060, a remote attacker could exploit this vulnerability to obtain phone configuration information.
References: [CVE-2018-18566], [XFDB-151919], [BID-105746] |
| 5061 |
tcp,udp |
sip-tls |
not scanned |
Asterisk, Freeswitch, Vonage, MS Lync Server
Unspecified vulnerability in Cisco TelePresence C Series Endpoints, E/EX Personal Video units, and MXP Series Codecs, when using software versions before TC 4.0.0 or F9.1, allows remote attackers to cause a denial of service (crash) via a crafted SIP packet to port 5060 or 5061, aka Bug ID CSCtq46500.
References: [CVE-2011-2577] [BID-49392]
SIP-TLS (IANA official) |
| 5062 |
tcp,udp |
na-localise |
not scanned |
Microsoft Lync server uses these ports:
444, 445, 448, 881, 5041, 5060 - 5087, 8404 TCP
80, 135, 443, 4443, 8060, 8061, 8080 TCP - standard ports and HTTP(s) traffic
1434 UDP - SQL
49152-57500 TCP/UDP - media ports
Localisation access (IANA Official) |
| 5063 |
tcp |
csrpc |
not scanned |
Centrify secure RPC
Microsoft Lync Server |
| 5064 |
tcp,udp |
ca-1 |
not scanned |
Microsoft Lync Server
Nomado
IANA registered for: Channel Access 1 |
| 5065 |
tcp,udp |
ca-2 |
not scanned |
Microsoft Lync Server
IConnectHere
Lingo VoIP
Nomado
IANA registered for: Channel Access 2 |
| 5066 |
tcp,udp |
stanag-5066 |
not scanned |
Micsosoft Lync Server
GeoVision
RemotePlayBack
IANA registered for: STANAG 5066 (http://s5066.nc3a.nato.int) Communication protocol stack for Long thin pipes with a high bit-error rate specifically, HF radio. |
| 5070 |
tcp,udp |
applications |
Premium scan |
BT Communicator uses ports 5050-5070
Majicjack (ports 5060,5070)
Microsoft Lync Server
Binary Floor Control Protocol (BFCP), published as RFC 4582, is a protocol that allows for an additional video channel (known as the content channel) alongside the main video channel in a video-conferencing call that uses SIP. Also used for Session Initiation Protocol (SIP) preferred port for PUBLISH on SIP Trunk to Cisco Unified Presence Server (CUPS) |
| 5075 |
tcp |
pvaccess |
not scanned |
Microsoft Lync Server
Experimental Physics and Industrial Control System [Matej_Sekoranja] (IANA official) |
| 5080 |
tcp,udp |
applications |
not scanned |
NEC Phone System SV8100 and SV9100 MLC phones: default iSIP port (TCP)
A Directory Browsing vulnerability in MCL-Net version 4.3.5.8788 webserver running on default port 5080, allows attackers to gain sensitive information about the configured databases via the "/file" endpoint.
References: [CVE-2023-34834] |
| 5082 |
tcp,udp |
qcp |
not scanned |
IANA registered for: Qpur Communication Protocol |
| 5083 |
tcp,udp |
qfp |
not scanned |
IANA registered for: Qpur File Protocol |
| 5084 |
tcp,udp |
llrp |
not scanned |
IANA registered for: EPCglobal Low-Level Reader Protocol |
| 5085 |
tcp,udp |
encrypted-llrp |
not scanned |
IANA registered for: EPCglobal Encrypted LLRP |
| 5086 |
tcp |
aprigo-cs |
not scanned |
Aprigo Collection Service
Microsoft Lync server uses these ports:
444, 445, 448, 881, 5041, 5060 - 5087, 8404 TCP
80, 135, 443, 4443, 8060, 8061, 8080 TCP - standard ports and HTTP(s) traffic
1434 UDP - SQL
49152-57500 TCP/UDP - media ports |
| 5087 |
tcp |
biotic |
not scanned |
Microsoft Lync server uses these ports:
444, 445, 448, 881, 5041, 5060 - 5087, 8404 TCP
80, 135, 443, 4443, 8060, 8061, 8080 TCP - standard ports and HTTP(s) traffic
1434 UDP - SQL
49152-57500 TCP/UDP - media ports
Things Interoperable (IANA official) |
| 5090 |
sctp |
car |
not scanned |
Candidate AR |
| 5091 |
sctp |
cxtp |
not scanned |
Context Transfer Protocol (IANA official) [RFC 4065] |
| 5091 |
tcp |
zoom |
not scanned |
Zoom Video Conferencing uses these ports:
TCP: 80,443, 8801, 8802 - Zoom clients to Zoom meetings outbound connections.
UDP 3478, 3479, 8801-8810 Zoom meetings
Zoom Phone also uses outbound ports 390/tcp and 5091/tcp |
| 5093 |
udp |
applications |
not scanned |
Buffer overflow in the Sentinel LM (Lservnt) service in the Sentinel License Manager 7.2.0.2 allows remote attackers to execute arbitrary code by sending a large amount of data to UDP port 5093.
References: [CVE-2005-0353], [BID-12742]
Visual Components (owned by KUKA) is a robotic simulator that allows simulating factories and robots in order toimprove planning and decision-making processes. Visual Components software requires a special license which can beobtained from a network license server. The network license server binds to all interfaces (0.0.0.0) and listensfor packets over UDP port 5093. No authentication/authorization is required in order to communicate with theserver. The protocol being used is a property protocol by RMS Sentinel which provides the licensing infrastructurefor the network license server. RMS Sentinel license manager service exposes UDP port 5093 which provides sensitivesystem information that could be leveraged for further exploitation without any kind of authentication. Thisinformation includes detailed hardware and OS characteristics.After a decryption process, a textual protocol is found which contains a simple header with the requested command,application-identifier, and some arguments. The protocol is vulnerable to DoS through an arbitrary pointerderreference. This flaw allows an attacker to to pass a specially crafted package that, when processed by theservice, causes an arbitrary pointer from the stack to be dereferenced, causing an uncaught exception thatterminates the service. This can be further contructed in combination with RVDP#710 which exploits an informationdisclosure leak, or with RVDP#711 for an stack-overflow and potential code execution.Beyond denying simulations, Visual Components provides capabilities to interface with industrial machinery andautomate certain processes (e.g. testing, benchmarking, etc.) which depending on the DevOps setup might beintegrated into the industrial flow. Accordingly, a DoS in the simulation might have higher repercusions, dependingon the Industrial Control System (ICS) ICS infrastructure.
References: [CVE-2020-10292], [XFDB-191324]
Visual Components (owned by KUKA) is a robotic simulator that allows simulating factories and robots in order toimprove planning and decision-making processes. Visual Components software requires a special license which can beobtained from a network license server. The network license server binds to all interfaces (0.0.0.0) and listensfor packets over UDP port 5093. No authentication/authorization is required in order to communicate with theserver. The protocol being used is a property protocol by RMS Sentinel which provides the licensing infrastructurefor the network license server. RMS Sentinel license manager service exposes UDP port 5093 which provides sensitivesystem information that could be leveraged for further exploitation without any kind of authentication. Thisinformation includes detailed hardware and OS characteristics.After a decryption process, a textual protocol is found which contains a simple header with the requested command,application-identifier, and some arguments. The protocol leaks information regarding the receiving serverinformation, license information and managing licenses, among others.Through this flaw, attackers can retreive information about a KUKA simulation system, particularly, the version ofthe licensing server, which is connected to the simulator, and which will allow them to launch local simulationswith similar characteristics, further understanding the dynamics of motion virtualization and opening doors toother attacks (see RVDP#711 and RVDP#712 for subsequent vulnerabilities that compromise integrity andavailability).Beyond compromising simulations, Visual Components provides capabilities to interface with industrial machinery.Particularly, their PLC Connectivity feature 'makes it easy' to connect simulations with control systems usingeither the industry standard OPC UA or other supported vendor specific interfaces. This fills the gap of jumpingfrom simulation to real and enables attackers to pivot from the Visual Components simulator to robots or otherIndustrial Control System (ICS) devices, such as PLCs.
References: [CVE-2020-10291], [XFDB-191323]
Port is also IANA registered for Sentinel LM |
| 5094 |
tcp,udp |
hart-ip |
not scanned |
HART-IP |
| 5100 |
tcp |
applications |
not scanned |
Mac OS X camera and scanner sharing
Yahoo Super Webcam, developer: Yahoo
Yahoo! Messenger fails to properly handle webcam streams, which may allow a remote attacker to execute arbitrary code. This vulnerability may also cause a denial of service by causing Yahoo! Messenger to crash. When Yahoo! Messenger views a webcam stream, it makes a connection to port 5100/tcp.
References: [CVE-2007-4391], [BID-25330], [OSVDB-38221] |
| 5100 |
udp |
socalia |
not scanned |
Avaya Communication Server 1000 is vulnerable to a denial of service, when parsing requests. By sending a specially-crafted packet to UDP port 5100, a remote attacker could exploit this vulnerability to cause the server to crash.
References: [XFDB-66908], [BID-47514], [SECUNIA-44213]
IANA registered for: Socalia service mux (TCP/UDP) |
| 5101 |
tcp,udp |
applications |
not scanned |
Yahoo P2P Instant Messages, developer: Yahoo
Borland StarTeam MPX is vulnerable to a denial of service, caused by an integer overflow error by the TmsgBufMsgDeserializeEx function in the instructions for data calculation. By sending a specially-crafted packet to TCP port 5101, a remote attacker could exploit this vulnerability to crash the service.
References: [XFDB-40966] |
| 5102 |
tcp |
applications |
not scanned |
The administration application server in Sun Java Active Server Pages (ASP) Server before 4.0.3 allows remote attackers to bypass authentication via direct requests on TCP port 5102.
References: [CVE-2008-2406], [BID-29539]
Port also IANA registered for Oracle OMS non-secure |
| 5103 |
tcp |
actifio-c2c |
not scanned |
IANA registered for: Actifio C2C |
| 5104 |
udp |
tinymessage |
not scanned |
IANA registered for: TinyMessage |
| 5104 |
tcp |
applications |
not scanned |
IBM Tivoli Framework NetCOOL/Impact HTTP Service |
| 5105 |
udp |
hughes-ap |
not scanned |
IANA registered for: Hughes Association Protocol |
| 5106 |
tcp |
applications |
not scanned |
A-Talk Common connection |
| 5107 |
tcp |
applications |
not scanned |
A-Talk Remote server connection
Disk to Disk replication (IANA official) |
| 5108 |
tcp |
applications |
not scanned |
VPOP3 Mail Server Webmail |
| 5109 |
tcp,udp |
applications |
not scanned |
VPOP3 Mail Server Status |
| 5110 |
tcp |
applications |
Premium scan |
Applications using this port: ProRat Server
Trojans using this port: BDS/Hupigon.bsw, BDS/Prorat.M.B.38, ProRAT |
| 5111 |
tcp,udp |
taep-as-svc |
Premium scan |
Malicious services using this port: W32.Korgo
IANA Registered for: TAEP AS service |
| 5113 |
tcp,udp |
ni-dc |
not scanned |
NI Device Discovery and Configuration Protocol |
| 5114 |
tcp |
ev-services |
not scanned |
Enterprise Vault Services |
| 5116 |
udp |
emb-proj-cmd |
not scanned |
EPSON Projecter Image Transfer [SEIKO_EPSON_4] (IANA official) |
| 5117 |
tcp |
gradecam |
not scanned |
GradeCam Image Processing |
| 5120 |
tcp,udp |
games |
not scanned |
Neverwinter Nights uses ports 5120-5129
IANA registered for: Barracuda Backup Protocol |
| 5121 |
tcp,udp |
applications |
not scanned |
Ragnarok Online Server, Neverwinter Nights |
| 5124 |
tcp,udp |
applications |
not scanned |
TorgaNET (Micronational Darknet) |
| 5125 |
tcp,udp |
applications |
not scanned |
TorgaNET (Micronational Intelligence Darknet) |
| 5129 |
tcp,udp |
games |
not scanned |
Neverwinter Nights |
| 5134 |
tcp |
ppactivation |
not scanned |
PP ActivationServer |
| 5135 |
tcp |
trojan |
Premium scan |
Bmail
Port is IANA registered for ERP-Scale. |
| 5136 |
tcp |
trojans |
Premium scan |
Backdoor.Toob.A [Symantec-2005-110216-5242-99] (2005.11.02) - a trojan horse with backdoor capabilities. Opens a backdoor and listens for remote commands on port 5136/tcp. |
| 5136 |
udp |
minotaur-sa |
not scanned |
Minotaur SA |
Vulnerabilities listed: 100 (some use multiple ports)
|
