Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 5354 |
tcp,udp |
mdnsresponder |
not scanned |
Multicast DNS Responder IPC |
| 5355 |
tcp,udp |
llmnr |
not scanned |
LLMNR (Link-Local Multicast Name Resolution) - protocol based on the Domain Name System (DNS), allowing for name resolution for hosts on the same network. Included in both Windows and Linux systemd-resolved, LLMNR protocol is defined in RFC 4795.
Canon printers management console uses these ports (in addition to standard ports 25, 80, 110, 137, 389, 443, etc.):
427 UDP - SLP multicast discovery
5355 TCP/UDP - LLMNR device discovery for SNMP, SLP
8000, 8080 TCP - UI HTTP access
11427 UDP - device sleep notifications
47545 UDP - communication with devices
47547 TCP - communication with devices
LLMNR (IANA official) |
| 5357 |
tcp,udp |
wsdapi |
Members scan |
Used by Microsoft Network Discovery, should be filtered for public networks. Disabling Network Discovery for any public network profile should close the port unless it's being used by another potentially malicious service.
To disable Network Discovery for a public profile, navigate to:
- Control Panel\Network and Internet\Network and Sharing Center\Advanced sharing settings
- disable Network Discovery for any public network
Port should be correctly mapped by the Windows Firewall to only accept connections from the local network.
Malicious services using this port:
Trojan.win32.monder.gen (a.k.a Trojan.Vundo)
Port is also IANA registered for:
Web Services for Devices (WSD) - a network plug-and-play experience that is similar to installing a USB device. WSD allows network-connected IP-based devices to advertise their functionality and offer these services to clients by using the Web Services protocol. WSD communicates over HTTP (TCP port 5357), HTTPS (TCP port 5358), and multicast to UDP port 3702. |
| 5358 |
tcp,udp |
wsdapi-s |
not scanned |
Web Services for Devices Secured port
Web Services for Devices (WSD) is a network plug-and-play experience that is similar to installing a USB device. WSD allows network-connected IP-based devices to advertise their functionality and offer these services to clients by using the Web Services protocol. WSD communicates over HTTP (TCP port 5357), HTTPS (TCP port 5358), and multicast to UDP port 3702. |
| 5360 |
tcp,udp |
applications |
not scanned |
SuperSync |
| 5364 |
udp |
kdnet |
not scanned |
IANA registered for: Microsoft Kernel Debugger |
| 5373 |
tcp |
worm |
Members scan |
W32.Gluber [Symantec-2003-122110-5255-99] (2003.12.21) - a mass-mailing worm that spreads through email and network shares. Uses its own SMTP engine, opens a backdoor on port 5373. |
| 5377 |
tcp |
trojan |
Premium scan |
Iani trojan |
| 5394 |
udp |
applications |
not scanned |
Kega Fusion, a Sega multi-console emulator |
| 5400 |
tcp |
trojans |
Premium scan |
Trojans that use this port: Back Construction, Blade Runner, Digital Spy
Xwis server also uses port 5400 (TCP/UDP)
Numara Asset Manager Platform (AMP) uses the following ports:
1610 - primary AMP port
1611 - communication between console and master server
Other optional ports used by AMP:
1609 - used to calculate available bandwidth for transfer windows
1612 - used by the application kiosk feature
2500 - used for multicast data transfers to agents
5400 - used for remote control only
22,23,25,135-139,445 - used for auto discovery, SSH remote inventory scans, SMB remote inventory
161 - SNMP remote inventory scan
67-69 - relays can be used to avoid opening ports over the wan
Unspecified vulnerability in Appian Enterprise Business Process Management (BPM) Suite 5.6 SP1 allows remote attackers to cause a denial of service via a crafted packet to TCP port 5400.
References: [CVE-2007-6509], [BID-26913]
Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance 8.6 and 9.x before 9.2(1) allows remote attackers to cause a denial of service (disk consumption) via a flood of TCP packets to port 5400, leading to large error-log files, aka Bug ID CSCua42724.
References: [CVE-2013-3387]
Port is also IANA registered for: 5400/tcp Excerpt Search |
| 5400 |
udp |
games |
not scanned |
Command and Conquer Red Alert, Fly For Fun (TCP/UDP) |
| 5401 |
tcp |
excerpts |
Premium scan |
Trojans that use this port: Back Construction, Blade Runner, Digital Spy , Mneah
Cisco Security Agent could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions by the Management Center web interface (webagent.exe). By sending a specially-crafted POST request over port 5401 TCP, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system.
References: [CVE-2011-0364] [EDB-17155] [XFDB-65436]
A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The HTTP service (default port 5401/tcp) of the SiNVR 3 Video Server contains an authentication bypass vulnerability, even when properly configured with enforced authentication. A remote attacker with network access to the Video Server could exploit this vulnerability to read the SiNVR users database, including the passwords of all users in obfuscated cleartext.
References: [CVE-2019-18339]
Port is also IANA registered for:
5401/tcp Excerpt Search Secure |
| 5402 |
tcp |
mftp |
Premium scan |
Trojans that use this port: Back Construction, Blade Runner, Digital Spy, Mneah
Port is also IANA registered for:
mftp, Stratacache OmniCast content delivery system MFTP file sharing protocol |
| 5404 |
udp |
citrix |
not scanned |
Citrix XenServer clustering uses these ports: 5404, 5405 UDP, and 8892, 21064 TCP
|
| 5405 |
tcp,udp |
netsupport |
not scanned |
Citrix XenServer clustering uses these ports: 5404, 5405 UDP, and 8892, 21064 TCP
PcDuo remote control
Stack-based buffer overflow in NetSupport Manager Agent for Linux 11.00, for Solaris 9.50, and for Mac OS X 11.00 allows remote attackers to execute arbitrary code via a long control hostname to TCP port 5405.
References: [CVE-2011-0404], [BID-45728]
NetSupport (IANA registered) |
| 5410 |
tcp,udp |
salient-usrmgr |
not scanned |
A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The two FTP services (default ports 21/tcp and 5411/tcp) of the SiNVR 3 Video Server contain a path traversal vulnerability that could allow an authenticated remote attacker to access and download arbitrary files from the server, if the FTP services are enabled.
References: [CVE-2019-19296]
A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The streaming service (default port 5410/tcp) of the SiNVR 3 Video Server contains a path traversal vulnerability, that could allow an unauthenticated remote attacker to access and download arbitrary files from the server.
References: [CVE-2019-19297]
A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The streaming service (default port 5410/tcp) of the SiNVR 3 Video Server contains a input validation vulnerability, that could allow an unauthenticated remote attacker to cause a Denial-of-Service condition by sending malformed HTTP requeats.
References: [CVE-2019-19298]
A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The streaming service (default port 5410/tcp) of the SiNVR 3 Video Server applies weak cryptography when exposing device (camera) passwords. This could allow an unauthenticated remote attacker to read and decrypt the passwords and conduct further attacks.
References: [CVE-2019-19299]
IANA registered for: Salient User Manager |
| 5412 |
tcp,udp |
continuus |
not scanned |
IBM Rational Synergy (Telelogic Synergy) (Continuus CM) Message Router
IANA registered for: Continuus |
| 5413 |
tcp |
applications |
not scanned |
The SuiteLink Service (a.k.a. slssvc.exe) in WonderWare SuiteLink before 2.0 Patch 01, as used in WonderWare InTouch 8.0, allows remote attackers to cause a denial of service (NULL pointer dereference and service shutdown) and possibly execute arbitrary code via a large length value in a Registration packet to TCP port 5413, which causes a memory allocation failure.
References: [CVE-2008-2005], [BID-28974]
Port also IANA registered for WWIOTALK |
| 5418 |
tcp |
trojan |
Premium scan |
Backdoor.DarkSky.B [Symantec-2002-100311-5041-99]
Backdoor.Win32.DarkSky.23 / Remote Stack Buffer Overflow (SEH) - the malware listens on TCP port 5418. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting EDX register and Structured Exception Handler (SEH). In order to see the typical exploit pattern of "\x41" "AAAA" we need to actually send "\x50" as there is an loop that performs an XOR converting our payload. Therefore, if we send "AAAAAAAA" we will get "PPPPPPPP", the malware performs the XOR with the value of 11.
References: [MVID-2022-0648] |
| 5419 |
tcp,udp |
trojan |
not scanned |
Backdoor.DarkSky.B [Symantec-2002-100311-5041-99] |
| 5421 |
tcp,udp |
netsupport2 |
not scanned |
Net Support 2 |
| 5423 |
tcp,udp |
virtualuser |
not scanned |
IANA registered for: Apple VirtualUser |
| 5424 |
tcp |
worm |
not scanned |
W32.Mydoom.AF@mm [Symantec-2004-101709-2151-99] (2004.10.15) - a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses that it finds on the infected computer. The worm also contains back door functionality which allows unauthorized remote access. The email will have a variable subject and attachment name. The attachment will have a .cpl, .pif, or .scr file extension. The threat is packed with UPX.
Port is also IANA registered for: Beyond Remote |
| 5430 |
tcp |
trojan |
Premium scan |
Net Advance trojan |
| 5432 |
tcp |
applications |
not scanned |
ARD 2.0 Database
Xerox WorkCentre and WorkCentre Pro do not block the postgres port (5432/tcp), which has unknown impact and remote attack vectors, probably related to unauthorized connections to a PostgreSQL daemon.
References: [CVE-2006-6469]
Backdoor.Win32.GateHell.21 / Authentication Bypass - the malware runs an FTP server on TCP ports 5301,5432,5300,5299,5298,5297,5296 and 5295. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this
can result in remote code execution.
References: [MVID-2022-0559]
Backdoor.Win32.GateHell.21 / Port Bounce Scan - тhe malware runs an FTP server on TCP ports 5301,5432,5300,5299,5298,5297,5296 and 5295. Third-party adversaries who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2022-0560]
PostgreSQL Database (IANA official) |
| 5433 |
tcp,udp |
pyrrho |
not scanned |
Bouwsoft file/webserver (TCP)
Vertica (big data analytics platform) uses the following ports:
22 TCP sshd admin tools and management console
4803 TCP/UDP - Spread client connections
4804 UDP - Spread daemon connections
5433 TCP - Vertica client (vsql, ODBC, JDBC, etc) port
5433 UDP - Vertica spread monitoring
5434 TCP - Vertica intra- and inter-cluster communication
5444 TCP - Vertica management console
5450 TCP - Vertica management console
6543 UDP - Spread monitor to daemon connection
IANA registered for: Pyrrho DBMS |
| 5434 |
tcp |
vertica |
not scanned |
Vertica (big data analytics platform) uses the following ports:
22 TCP sshd admin tools and management console
4803 TCP/UDP - Spread client connections
4804 UDP - Spread daemon connections
5433 TCP - Vertica client (vsql, ODBC, JDBC, etc) port
5433 UDP - Vertica spread monitoring
5434 TCP - Vertica intra- and inter-cluster communication
5444 TCP - Vertica management console
5450 TCP - Vertica management console
6543 UDP - Spread monitor to daemon connection |
| 5436 |
udp |
pmip6-cntl |
not scanned |
pmip6-cntl [RFC5844] (IANA official) |
| 5437 |
udp |
pmip6-data |
not scanned |
pmip6-data [RFC5844] (IANA official) |
| 5440 |
tcp,udp |
shoretel |
not scanned |
ShoreTel IP Telephony system uses the following ports
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag)
A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The SiNVR 3 Central Control Server (CCS) does not enforce logging of security-relevant activities in its XML-based communication protocol as provided by default on ports 5444/tcp and 5440/tcp. An authenticated remote attacker could exploit this vulnerability to perform covert actions that are not visible in the application log.
References: [CVE-2019-19292], [CVE-2019-19295], [XFDB-177561], [XFDB-177564] |
| 5441 |
udp |
shoretel |
not scanned |
ShoreTel IP Telephony system uses the following ports
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag) |
| 5442 |
udp |
shoretel |
not scanned |
ShoreTel IP Telephony system uses the following ports
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag) |
| 5443 |
tcp,udp |
spss |
not scanned |
ShoreTel IP Telephony system uses the following ports
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag)
Pearson HTTPS [Pearson] (IANA official) |
| 5444 |
udp |
shoretel |
not scanned |
ShoreTel IP Telephony system uses the following ports
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag) |
| 5444 |
tcp |
applications |
not scanned |
Vertica (big data analytics platform) uses the following ports:
22 TCP sshd admin tools and management console
4803 TCP/UDP - Spread client connections
4804 UDP - Spread daemon connections
5433 TCP - Vertica client (vsql, ODBC, JDBC, etc) port
5433 UDP - Vertica spread monitoring
5434 TCP - Vertica intra- and inter-cluster communication
5444 TCP - Vertica management console
5450 TCP - Vertica management console
6543 UDP - Spread monitor to daemon connection
A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The SiNVR 3 Central Control Server (CCS) does not enforce logging of security-relevant activities in its XML-based communication protocol as provided by default on ports 5444/tcp and 5440/tcp. An authenticated remote attacker could exploit this vulnerability to perform covert actions that are not visible in the application log.
References: [CVE-2019-19292], [CVE-2019-19295], [XFDB-177561], [XFDB-177564]
|
| 5445 |
udp |
applications |
not scanned |
Cisco Unified Video Advantage
ShoreTel IP Telephony system uses the following ports
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag) |
| 5445 |
tcp,sctp |
smbdirect |
not scanned |
Server Message Block over Remote Direct Memory Access [Microsoft Corporation 2] (IANA official) |
| 5446 |
udp |
shoretel |
not scanned |
ShoreTel IP Telephony system uses the following ports
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag) |
| 5447 |
tcp |
shoretel |
not scanned |
ShoreTel IP Telephony system uses the following ports:
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag) |
| 5449 |
tcp |
shoretel |
not scanned |
ShoreTel IP Telephony system uses the following ports:
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag) |
| 5450 |
tcp,udp |
tiepie |
not scanned |
Vertica (big data analytics platform) uses the following ports:
22 TCP sshd admin tools and management console
4803 TCP/UDP - Spread client connections
4804 UDP - Spread daemon connections
5433 TCP - Vertica client (vsql, ODBC, JDBC, etc) port
5433 UDP - Vertica spread monitoring
5434 TCP - Vertica intra- and inter-cluster communication
5444 TCP - Vertica management console
5450 TCP - Vertica management console
6543 UDP - Spread monitor to daemon connection
OSIsoft PI Server Client Access (TCP)
AspenTech Cim-IO uses port 5450 TCP for their industrial communications (process historian). PI 3 server uses port 5450 and PI 2 server uses port 545.
Malware using this port: Pizza trojan
IANA registered for: TiePie engineering data acquisition |
| 5454 |
tcp |
worm |
not scanned |
Citrix NetScaler MAS uses port 5454 TCP for communication and database synchronization between NetScaler MAS nodes in high availability mode.
W32.Rinbot.L (2007.02.28) - a worm that spreads through network shares and by exploiting vulnerabilities. It also opens a back door on the compromised computer.
The web application portal of the Cobham EXPLORER 710, firmware version 1.07, allows unauthenticated access to port 5454. This could allow an unauthenticated, remote attacker to connect to this port via Telnet and execute 86 Attention (AT) commands, including some that provide unauthenticated, shell-like access to the device.
References: [CVE-2019-9531], [XFDB-168650]
IANA registered for: APC 5454 (TCP/UDP) [American Power Conv] |
| 5455 |
tcp,udp |
apc-5455 |
not scanned |
APC 5455 [American Power Conve] (IANA official) |
| 5456 |
tcp,udp |
apc-5456 |
not scanned |
APC 5455 [American Power Conve] (IANA official) |
| 5457 |
tcp |
applications |
not scanned |
OSIsoft PI Asset Framework Client Access |
| 5458 |
tcp |
applications |
not scanned |
OSIsoft PI Notifications Client Access |
| 5467 |
tcp |
worm |
Members scan |
W32.Kobot worm |
| 5469 |
tcp |
shoretel |
not scanned |
ShoreTel IP Telephony system uses the following ports:
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag) |
| 5479 |
tcp |
games |
not scanned |
The Settlers II 10th Aniversary Edition |
| 5480 |
tcp |
applications |
not scanned |
VMware VMware VAMI (Virtual Appliance Management Infrastructure) - used for initial setup of various administration settings on Virtual Appliances designed using the VAMI architecture.
The vCenter Server contains a denial-of-service vulnerability in VAPI (vCenter API) service. A malicious actor with network access to port 5480 on vCenter Server may exploit this issue by sending a specially crafted jsonrpc message to create a denial of service condition.
References: [CVE-2021-22019]
The vCenter Server contains an authenticated code execution vulnerability in VAMI (Virtual Appliance Management Infrastructure). An authenticated VAMI user with network access to port 5480 on vCenter Server may exploit this issue to execute code on the underlying operating system that hosts vCenter Server.
References: [CVE-2021-22014] |
| 5481 |
tcp |
applications |
not scanned |
Schneider Electri's ClearSCADA (SCADA implementation for Windows) — used for client-to-server communication |
| 5492 |
tcp,udp |
|
not scanned |
Soti Pocket Controller-Professional 5.0 allows remote attackers to turn off, reboot, or hard reset a PDA via a series of initialization, command, and reset packets sent to port 5492.
References: [CVE-2005-4152] [BID-15775] [SECUNIA-17966] |
| 5494 |
tcp,udp |
applications |
not scanned |
MobiControl Deployment server |
| 5495 |
tcp |
applications |
not scanned |
IBM Cognos TM1 Admin server |
| 5496 |
udp |
applications |
not scanned |
An unspecified "logical programming mistake" in SMART SynchronEyes Student and Teacher 6.0, and possibly earlier versions, allows remote attackers to cause a denial of service via a large packet to the Teacher discovery port (UDP port 5496), which causes a thread to terminate and prevents communications on that port.
References: [CVE-2006-1647], [BID-17373], [SECUNIA-19535] |
| 5498 |
tcp |
hotline |
not scanned |
Hotline tracker server connection, Hotline Tracker |
| 5499 |
udp |
hotline |
not scanned |
Hotline tracker server discovery, Hotline Server Locator, Hotline Server |
| 5500 |
tcp,udp |
fcp-addr-srvr1 |
Members scan |
HotLine peer-to-peer file sharing, Virtual Network Computing (VNC), Tight VNC
Proxy.exe in DualDesk 20 allows Remote Denial Of Service (daemon crash) via a long string to TCP port 5500.
References: [CVE-2018-7583], [EDB-44222]
A vulnerability in the Easy Virtual Switching System (VSS) feature of Cisco IOS XE Software for Cisco Catalyst 4500 Series Switches and Cisco Catalyst 4500-X Series Switches could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying Linux operating system of an affected device. The vulnerability is due to incorrect boundary checks of certain values in Easy VSS protocol packets that are destined for an affected device. An attacker could exploit this vulnerability by sending crafted Easy VSS protocol packets to UDP port 5500 while the affected device is in a specific state. When the crafted packet is processed, a buffer overflow condition may occur. A successful exploit could allow the attacker to trigger a denial of service (DoS) condition or execute arbitrary code with root privileges on the underlying Linux operating system of the affected device.
References: [CVE-2021-1451]
fcp-addr-srvr1 (IANA official) |
| 5501 |
tcp,udp |
fcp-addr-srvr2 |
not scanned |
fcp-addr-srvr2, Hotline server, Hotline file transfer connection, MOHAA Reverend |
| 5502 |
tcp,udp |
fcp-srvr-inst1 |
not scanned |
fcp-srvr-inst1, Hotline Server, MOHAA Reverend |
| 5503 |
tcp,udp |
fcp-srvr-inst2 |
Premium scan |
Hotline Server, MOHAA Reverend
Remote Shell trojan also uses this port (TCP).
IANA registered for: fcp-srvr-inst2. |
| 5504 |
tcp,udp |
fcp-cics-gw1 |
not scanned |
fcp-cics-gw1, MOHAA Reverend |
| 5506 |
tcp,udp |
amc |
not scanned |
Amcom Mobile Connect |
| 5507 |
tcp |
psl-management |
not scanned |
PowerSysLab Electrical Management (IANA official) |
| 5512 |
tcp |
trojans |
Premium scan |
Illusion Mailer, Xtcp |
| 5517 |
tcp |
applications |
not scanned |
Setiqueue Proxy server client for SETI@Home project |
| 5521 |
tcp |
skype |
Premium scan |
Port used by Skype VoIP.
Illusion Mailer trojan also uses port 5521 (TCP). |
| 5522 |
tcp,udp |
applications |
Premium scan |
MOHAA Reverend, Telnet
Malicious services using this port: WinShell Backdoor |
| 5525 |
tcp |
slican |
not scanned |
Port 5525/TCP is used by Slican devices for billing purposes (slican.com) |
| 5534 |
tcp |
trojan |
Premium scan |
The Flu
SoulSeek file sharing also uses port 5534 (TCP/UDP) |
| 5540 |
tcp,udp |
matter |
not scanned |
Matter Operational Discovery and Communication (IANA official) |
| 5543 |
tcp |
qftest-licserve |
not scanned |
QF-Test License Server (IANA official) |
| 5544 |
tcp |
applications |
Premium scan |
MOHAA Reverend
W32.Zotob trojan/worm also uses this port. |
| 5546 |
tcp,udp |
applications |
not scanned |
GeoVision Center V2 |
| 5547 |
tcp,udp |
applications |
not scanned |
GeoVision Center V2 |
| 5548 |
tcp,udp |
applications |
not scanned |
GeoVision Center V2
OKI C5510MFP Printer CU H2.15, PU 01.03.01, System F/W 1.01, and Web Page 1.00 sends the configuration of the printer in cleartext, which allows remote attackers to obtain the administrative password by connecting to TCP port 5548 or 7777.
References: [CVE-2008-0374], [BID-27339] |
| 5549 |
tcp,udp |
applications |
not scanned |
GeoVision Center V2 |
| 5550 |
tcp |
trojans |
Premium scan |
Xtcp 2, Pizza
Hewlett-Packard Data Protector, GeoVision TwinDVR with Webcam (TCP/UDP) also use this port.
IANA registered for: Model Railway control using the CBUS message protocol |
| 5553 |
tcp |
trojan |
Premium scan |
Backdoor.Xlog [Symantec-2002-082915-5857-99]
Backdoor.Win32.XLog.21 / Authentication Bypass Race Condition - the malware listens on TCP port 5553. Third-party attackers who can reach the system before a password has been set can logon using default credentials of noname/nopass and run commands made avail by the backdoor including changing the password therby potentially locking out the original intruder.
References: [MVID-2022-0543] |
| 5554 |
tcp |
trojans |
Members scan |
W32.Sasser.Worm [Symantec-2004-050116-1831-99] (2004.04.30) - remote access trojan. Affects all current Windows versions, attemts to exploit a vulnerability addressed in Microsoft Security Bulletin [MS04-011]. There are some issues associated with using the [MS04-011] update discussed here: MS KB 835732.
Trojan runs a FTP server on port 5554 on infected systems and attempts to connect to random IPs on TCP port 445. If a connection is established, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm.
Backdoor.Win32.FTP.Ics / Authentication Bypass - the malware runs an FTP server on TCP port 5554. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.
References: [MVID-2022-0498]
Backdoor.Win32.FTP.Ics / Port Bounce Scan (MITM) - the malware listens on TCP port 5554 and accepts any credentials. Third-party intruders who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2022-0500] |
| 5555 |
tcp |
ms-crm |
Premium scan |
SoftEther VPN (Ethernet over HTTPS) uses TCP Ports 443, 992 and 5555
Port also used by Freeciv gaming protocol. , InfoSeek Personal Agent, HP OpenView Storage Data Protector (formerly HP OmniBack), McAfee EndPoint Encryption Database Server, SAP
RainMachine automatic irrigation control uses this port.
ShoreTel IP Telephony system uses the following ports
2427 UDP - IP phones listening port
2727 UDP - switches listening port
5004 UDP - voice packets
5440 TCP - HTTP CSIS, 5440 UDP - Location Service Protocol
5441 UDP - ShoreSIP
5442, 5446 UDP - DRS
5443, 5444, 5445 UDP - Bandwidth Reservation Protocol
5447, 5449, 5469 TCP - CAS & web proxy
5555 TCP - Shoreline diagnostic port (ipbxctl –diag)
Backdoor.Darkmoon.E [Symantec-2007-092515-0356-99] (2007.09.25) - a Trojan horse that opens a back door on TCP port 5555 on the compromised computer.
Some other trojans also use this port Backdoor.Sysbug [Symantec-2003-112517-2455-99], Noxcape, W32.MiMail.P, Daodan, Backdoor.OptixPro, ServeMe.
HP OpenView OmniBack 2.55 allows remote attackers to cause a denial of service via a large number of connections to port 5555.
References: [CVE-2000-0179] [BID-1015]
The Backup Client Service (OmniInet.exe) in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary commands or cause a denial of service via a crafted EXEC_BAR packet to TCP port 5555, aka ZDI-CAN-1885.
References: [CVE-2013-2347] [OSVDB-101626]
HP Data Protector could allow a remote attacker to execute arbitrary commands on the system. By sending a specially-crafted request to TCP port 5555, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
References: [CVE-2014-2623] [XFDB-94504]
KDDI CORPORATION Smart TV Box could allow a remote attacker to bypass security restrictions, caused by the failure to restrict access by the Android Debug Bridge. By using port 5555/TCP, an attacker could exploit this vulnerability to conduct arbitrary operations on the device without user's intent.
References: [CVE-2019-6005], [XFDB-165762]
Jector Smart TV FM-K75 could allow a remote attacker to execute arbitrary code on the system. By using an adb connect to 5555 port, an attacker could exploit this vulnerability to execute arbitrary code on the system with root privileges.
References: [CVE-2019-9871], [XFDB-162056]
UPNP Service listening on port 5555 in Genexis Platinum 4410 Router V2.1 (P4410-V2–1.34H) has an action 'X_GetAccess' which leaks the credentials of 'admin', provided that the attacker is network adjacent.
References: [CVE-2020-25988]
Backdoor.Win32.FTP.Ics / Unauthenticated Remote Command Execution - the malware listens on TCP port 5555. Third-party attackers who can reach the system can run commands made available by the backdoor hijacking the infected host.
References: [MVID-2022-0499]
Fortinet FortiNAC could allow a remote attacker to gain unauthorized access to the system, caused by a command injection vulnerability. By sending a specially crafted request to the tcp/5555 service, an attacker could exploit this vulnerability to copy local files of the device to other local directories of the device.
References: [CVE-2023-33300], [XFDB-258703]
Microsoft Dynamics CRM 4.0. (IANA official) |
| 5556 |
tcp |
trojan |
Premium scan |
BO Facil, H0rtiga
Oracle WebLogic Server could allow a remote attacker to execute arbitrary commands on the system, caused by the failure to restrict access to specific commands by the Node Manager utility. If the Node Manager utility is installed and the Weblogic domain name is known, a remote attacker could send a direct request to port 5556 to execute arbitrary commands on the system.
References: [BID-37926], [XFDB-55845]
IANA registered for: Freeciv gameplay |
| 5557 |
tcp |
trojan |
Premium scan |
Citrix NetScaler appliance MAS uses port 5557 TCP for logstream communication from NetScaler to NetScaler MAS.
BO Facil trojan
Port is IANA registered for Sandlab FARENET. |
| 5558 |
tcp |
trojan |
Premium scan |
Backdoor.Easyserv [Symantec-2002-080619-3837-99]
Missing Handler vulnerability in the proprietary management protocol (port TCP 5558) of Hitachi Energy FOX61x, XCM20 allows an attacker that exploits the vulnerability by activating SSH on port TCP 5558 to cause disruption to the NMS and NE communication. This issue affects: Hitachi Energy FOX61x versions prior to R15A. Hitachi Energy XCM20 versions prior to R15A.
References: [CVE-2021-40334]
Backdoor.Win32.Easyserv.11.c / Insecure Transit - the malware makes outbound C2 connection to TCP port 5558.
Credentials are sent over the network in plaintext and the payload looks exactly like that used by XLog malware MD5:2906b5dc5132dd1319827415e837168f.
References: [MVID-2022-0534] |
| 5565 |
tcp |
hpe-dp-bura |
not scanned |
IANA registered for: HPE Advanced BURA |
| 5566 |
tcp |
westec-connect |
not scanned |
Westec Connect
Synology Snapshot & Replication backup recovery tool uses port 5566/tcp by default |
| 5567 |
tcp,udp |
enc-eps-mc-sec |
not scanned |
EMIT protocol stack multicast/secure transport [Panasonic_Intranet_Panasonic_North_America_PEWLA](IANA official)
IANA registered for: DOF Protocol Stack (TCP); Multicast/Secure Transport DOF Protocol Stack (UDP) |
| 5569 |
tcp |
trojan |
Premium scan |
RoboHack trojan
PLASA E1.33, Remote Device Management (RDM) controller status notifications [PLASA] (IANA official) |
| 5569 |
udp |
rdmnet-device |
not scanned |
PLASA E1.33, Remote Device Management (RDM) messages [PLASA] (IANA official) |
| 5575 |
tcp |
ora-oap |
not scanned |
Oracle Access Protocol |
| 5577 |
tcp |
applications |
not scanned |
MOHAA Reverend, iSeries Access |
| 5588 |
tcp |
trojans |
Premium scan |
Easyserv.11 [Symantec-2002-080619-3837-99] (2002.08.06)- remote access trojan. Affects all current Windows versions. |
| 5591 |
tcp |
applications |
not scanned |
IANA registered for: Tidal Enterprise Scheduler master-Socket. It is used for communication between Agent-to-Master, though can be changed. |
| 5598 |
tcp |
trojan |
Premium scan |
BackDoor 2.03 |
| 5599 |
tcp |
applications |
not scanned |
Ant Media Server is live streaming engine software. A local privilege escalation vulnerability in present in versions 2.6.0 through 2.8.2 allows any unprivileged operating system user account to escalate privileges to the root user account on the system. This vulnerability arises from Ant Media Server running with Java Management Extensions (JMX) enabled and authentication disabled on localhost on port 5599/TCP. This vulnerability is nearly identical to the local privilege escalation vulnerability CVE-2023-26269 identified in Apache James. Any unprivileged operating system user can connect to the JMX service running on port 5599/TCP on localhost and leverage the MLet Bean within JMX to load a remote MBean from an attacker-controlled server. This allows an attacker to execute arbitrary code within the Java process run by Ant Media Server and execute code within the context of the `antmedia` service account on the system. Version 2.9.0 contains a patch for the issue. As a workaround, one may remove certain parameters from the 'antmedia.service' file.
References: [CVE-2024-32656] |
| 5600 |
tcp |
esmmanager |
Members scan |
X-ztoo, also known as [X]-ztoo 1.0, Backdoor.VB.gen and Backdoor.VB.nr, is a backdoor Trojan affecting Microsoft Windows operating systems. The backdoor uses a client/server relationship, where the server component is installed in the victim's system and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 5600, to allow the client system to connect. X-ztoo could allow a remote attacker to gain unauthorized access to the system.
Reference: [XFDB-19662]
The DMCRUIS/0.1 web server on the Samsung PS50C7700 TV allows remote attackers to cause a denial of service (daemon crash) via a long URI to TCP port 5600.
References: [CVE-2013-4890] [XFDB-85904] [BID-61391]
Port is also IANA registered for: Enterprise Security Manager (tcp/udp) |
| 5601 |
tcp,udp |
esmagent |
not scanned |
Kibana (TCP)
Enterprise Security Agent (IANA official) |
| 5610 |
tcp,udp |
applications |
not scanned |
GeoVision Vital Sign Monitor |
| 5618 |
tcp |
efr |
not scanned |
IANA registered for: Fiscal Registering Protocol |
| 5631 |
udp |
pc-anywhere |
Members scan |
PC-Anywhere sends UDP ping looking for a server on ports 22 and 5632. If it doesn't know the server address, it will ping the entire subnet to find one !.
If you're running PC-Anywhere, make sure that you assign exact IP addresses of the systems that will be using it in the configuration, to avoid PC-Anywhere scanning an entire IP range looking for "your target system" and essentially advertising the service to every potential intruder in your IP block.
Symantec pcAnywhere 8.0 allows remote attackers to cause a denial of service (CPU utilization) via a large amount of data to port 5631.
References: [CVE-1999-1028]
IANA registered for: pcANYWHEREdata (TCP/UDP) |
Vulnerabilities listed: 100 (some use multiple ports)
|
