| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 5631 |
tcp |
applications |
not scanned |
The awhost32 service in Symantec pcAnywhere through 12.5.3, Altiris IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), Altiris Client Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), and Altiris Deployment Solution Remote pcAnywhere Solution 7.1 (aka 12.5.x and 12.6.x) allows remote attackers to cause a denial of service (daemon crash) via a crafted TCP session on port 5631.
References: [CVE-2012-0292] [BID-52094]
The host-services component in Symantec pcAnywhere 12.5.x through 12.5.3, and IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), does not properly filter login and authentication data, which allows remote attackers to execute arbitrary code via a crafted session on TCP port 5631.
References: [CVE-2011-3478] [BID-51592] |
| 5632 |
udp |
pc-anywhere |
Members scan |
PC-Anywhere sends UDP ping looking for a server on ports 22 and 5632. If it doesn't know the server address, it will ping the entire subnet to find one !.
If you're running PC-Anywhere, make sure that you assign exact IP addresses of the systems that will be using it in the configuration, to avoid PC-Anywhere scanning an entire IP range looking for "your target system" and essentially advertising the service to every potential intruder in your IP block.
IANA registered for: pcANYWHEREstat (TCP/UDP) |
| 5633 |
tcp |
applications |
not scanned |
The Job Engine (bengine.exe) service in Symantec Backup Exec for Windows Servers (BEWS) 11d allows remote attackers to cause a denial of service (CPU and memory consumption, NULL dereference and service crash) via a crafted packet to port 5633/tcp, triggering an infinite loop.
References:
[CVE-2007-4346] [SECUNIA-26975]
[CVE-2007-4347] [BID-26029]
BE Operations Request Listener (IANA official) |
| 5636 |
tcp |
trojan |
Premium scan |
PC Crasher trojan |
| 5637 |
tcp |
trojan |
Premium scan |
PC Crasher trojan
IANA registered for: Symantec CSSC |
| 5638 |
tcp |
trojan |
Premium scan |
PC Crasher trojan
Symantec Fingerprint Lookup and Container Reference Service [Symantec Corp] (IANA official) |
| 5639 |
tcp |
ics |
not scanned |
Symantec Integrity Checking Service [Symantec Corp] (IANA official) |
| 5645 |
tcp,udp |
applications |
not scanned |
Voyager Server
Malicious services using this port: IRC-based Botnet |
| 5646 |
tcp |
vfmobile |
not scanned |
Ventureforth Mobile [Ventureforth Inc] (IANA officials) |
| 5650 |
tcp |
trojan |
Premium scan |
Pizza trojan |
| 5652 |
tcp |
trojans |
Members scan |
W32.Fanbot.A@mm [Symantec-2005-101715-5745-99] (2005.10.17) - a mass-mailing worm that lowers security settings on the compromised computer. It can also spread through P@P networks and exploring the MS Plug and Play Buffer Overflow vulnerability described in [MS05-039]. Opens a backdoor and listens for remote commands by connecting to IRC servers on port 5652/tcp. |
| 5655 |
tcp,udp |
applications |
not scanned |
Astium PBX is vulnerable to a denial of service, caused by improper bounds checking by the astiumd service. By sending an overly long string to port 5655, a remote attacker could exploit this vulnerability to overflow a buffer and cause the device to crash and restart.
References: [XFDB-80895], [BID-57095], [EDB-23830] |
| 5656 |
tcp |
applications |
not scanned |
MOHAA Reverend
IBM Lotus Sametime p2p file transfer
|
| 5657 |
tcp |
applications |
not scanned |
MOHAA Reverend |
| 5657 |
udp |
palcom-disc |
not scanned |
Port is IANA assigned for PalCom Discovery. |
| 5658 |
tcp |
applications |
not scanned |
MOHAA Reverend |
| 5665 |
tcp |
applications |
not scanned |
MOHAA Reverend |
| 5666 |
tcp |
applications |
Premium scan |
MOHAA Reverend, Nagios NRPE
PC Crasher trojan also uses this port.
SuperDoctor5 - 'NRPE' Remote Code Execution
References: [EDB-47030]
Nagios Remote Plugin Executor (IANA official) |
| 5667 |
tcp |
applications |
not scanned |
NSCA (Nagios), MOHAA Reverend |
| 5669 |
tcp |
trojan |
Premium scan |
SpArTa trojan |
| 5670 |
tcp |
filemq |
not scanned |
Active Worlds
ZeroMQ file publish-subscribe protocol [ZeroMQ.org] (IANA official) |
| 5670 |
udp |
zre-disc |
not scanned |
Local area discovery and messaging over ZeroMQ (IANA official) |
| 5671 |
tcp,udp |
amqps |
not scanned |
AMQP protocol over TLS/SSL
SolarWinds Server & Application Monitor (SAM) uses the following ports:
4369 TCP - RabbitMQ messaging (EMPD)
5671 TCP - RabbitMQ messaging (AMQP over TLS/SSL)
5672 TCP - RabbitMQ messaging (AMQP unencrypted backup port)
17777 TCP - Orion module traffic, RSA handshake, AES 256 communication using WCF
17778 TCP - SolarWinds Information Service API
17779 TCP - SolarWinds Toolset Integration over HTTP
17790 TCP - Agent communication with the Orion server
17791 TCP - Agent communication with the Orion server
25672 TCP - RabbitMQ messaging (Erlang distribution)
SolarWinds also uses the following standard ports: 22/TCP, 25/TCP, 135/TCP, 161-162/UDP, 443/TCP, 445/TCP, 465/TCP, 587/TCP, 1801/TCP
Dell EMC NetWorker versions 19.1.x, 19.1.0.x, 19.1.1.x, 19.2.x, 19.2.0.x, 19.2.1.x 19.3.x, 19.3.0.x, 19.4.x, 19.4.0.x, 19.5.x,19.5.0.x, 19.6 and 19.6.0.1 and 19.6.0.2 contain an Improper Validation of Certificate with Host Mismatch vulnerability in Rabbitmq port 5671 which could allow remote attackers to spoof certificates.
References: [CVE-2022-29082] |
| 5672 |
tcp,udp,sctp |
amqp |
not scanned |
MOHAA Reverend
SolarWinds Server & Application Monitor (SAM) uses the following ports:
4369 TCP - RabbitMQ messaging (EMPD)
5671 TCP - RabbitMQ messaging (AMQP over TLS/SSL)
5672 TCP - RabbitMQ messaging (AMQP unencrypted backup port)
17777 TCP - Orion module traffic, RSA handshake, AES 256 communication using WCF
17778 TCP - SolarWinds Information Service API
17779 TCP - SolarWinds Toolset Integration over HTTP
17790 TCP - Agent communication with the Orion server
17791 TCP - Agent communication with the Orion server
25672 TCP - RabbitMQ messaging (Erlang distribution)
SolarWinds also uses the following standard ports: 22/TCP, 25/TCP, 135/TCP, 161-162/UDP, 443/TCP, 445/TCP, 465/TCP, 587/TCP, 1801/TCP
Zulip, an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. In versions of Zulip Server prior to 4.9, the initial installation (until first reboot, or restart of RabbitMQ) does not successfully limit the default ports which RabbitMQ opens; this includes port 25672, the RabbitMQ distribution port, which is used as a management port. RabbitMQ's default "cookie" which protects this port is generated using a weak PRNG, which limits the entropy of the password to at most 36 bits; in practicality, the seed for the randomizer is biased, resulting in approximately 20 bits of entropy. If other firewalls (at the OS or network level) do not protect port 25672, a remote attacker can brute-force the 20 bits of entropy in the "cookie" and leverage it for arbitrary execution of code as the rabbitmq user. They can also read all data which is sent through RabbitMQ, which includes all message traffic sent by users. Version 4.9 contains a patch for this vulnerability. As a workaround, ensure that firewalls prevent access to ports 5672 and 25672 from outside the Zulip server.
References: [CVE-2021-43799]
Advanced Message Queueing Protocol, see http://www.amqp.org (IANA official) |
| 5674 |
|
hyperscsi-port |
not scanned |
HyperSCSI Port [Data Storage Institut] (IANA official) |
| 5675 |
tcp,udp,sctp |
v5ua |
not scanned |
V5UA application port (IANA official) [RFC 3807] |
| 5678 |
tcp,udp |
rrac |
Basic scan |
Port used by Linksys (and other) Cable/DSL Routers Remote Administration. Also used by MikroTik Neighbor Discovery protocol and n8n.
Vulnerable systems: Linksys Cable/DSL version 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)
Immune systems: Linksys Cable/DSL versions prior to 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)
SNATMAP server also uses this port to ensure that connections between iChat users can properly function behind network address translation (NAT).
Buffer overflow in the Nortel UNIStim IP Softphone 2050 allows remote attackers to cause a denial of service (application abort) and possibly execute arbitrary code via a flood of invalid characters to the RTCP port (5678/udp) that triggers a Windows error message, a.k.a. "extraneous messaging."
References: [CVE-2007-5636] [BID-26118]
WellinTech KingHistorian 3.0 allows remote attackers to execute arbitrary code or cause a denial of service (invalid pointer write) via a crafted packet to TCP port 5678.
References: [CVE-2012-2559]
Linksys EtherFast Cable/DSL BEFSR11, BEFSR41 and BEFSRU31 with the firmware 1.42.7 upgrade installed opens TCP port 5678 for remote administration even when the "Block WAN" and "Remote Admin" options are disabled, which allows remote attackers go gain access.
References: [CVE-2002-2159] [BID-4987]
A vulnerability has been identified in SIMATIC WinCC OA V3.14 and prior (All versions < V3.14-P021). Improper access control to a data point of the affected product could allow an unauthenticated remote user to escalate its privileges in the context of SIMATIC WinCC OA V3.14. This vulnerability could be exploited by an attacker with network access to port 5678/TCP of the SIMATIC WinCC OA V3.14 server. Successful exploitation requires no user privileges and no user interaction. This vulnerability could allow an attacker to compromise integrity and availability of the SIMATIC WinCC OA system. At the time of advisory publication no public exploitation of this vulnerability was known.
References: [CVE-2018-13799], [BID-105332] |
| 5679 |
tcp |
trojan |
Premium scan |
Nautical trojan
The Utils::runScripts function in src/utils.cpp in vdccm 0.92 through 0.10.0 in SynCE (SynCE-dccm) allows remote attackers to execute arbitrary commands via shell metacharacters in a certain string to TCP port 5679.
References: [CVE-2008-1136], [BID-27178]
Port also IANA registered for Direct Cable Connect Manager. |
| 5682 |
udp |
brightcore |
not scanned |
BrightCore control & data transfer exchange |
| 5683 |
udp |
coap |
not scanned |
Constrained Application Protocol (IANA official) [RFC 7252] |
| 5684 |
udp |
coaps |
not scanned |
DTLS-secured CoAP (IANA official) [RFC 7252] |
| 5693 |
tcp |
rbsystem |
not scanned |
Backdoor.WinMap [Symantec-2004-010512-2847-99] (2000.06.19) - a backdoor trojan horse that opens a port on the system and allows incoming connections. This can provide an attacker full control over the system.
Nagios Cross Platform Agent (NCPA) also uses this port.
IANA registered for: Robert Bosch Data Transfer. |
| 5695 |
tcp |
trojan |
Members scan |
Backdoor.Assasin.D trojan - opens a backdoor on one of the following ports: 5695,6595,6969,27589. Backdoor.Assasin opens port 27589, Backdoor.Assasin.B opens port 6969, Backdoor.Assasin.C opens port 6595, and Backdoor.Assasin.D opens port 5695 to listen for commands from the attacker. |
| 5696 |
tcp |
trojan |
Premium scan |
Assasin trojan
IANA assigned for: Key Management Interoperability Protocol |
| 5697 |
tcp |
trojan |
Premium scan |
Assasin trojan |
| 5698 |
tcp |
trojan |
Premium scan |
BackDoor.203 trojan |
| 5700 |
tcp,udp |
applications |
not scanned |
Camstreams
Unspecified vulnerability in the Audit Vault component in Oracle Audit Vault 10.2.3.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from a reliable third party coordinator that this issue is related to a crafted parameter in an action.execute request to the av component on TCP port 5700.
References: [CVE-2010-4449] [BID-45844] [SECUNIA-42919] [OSVDB-70583]
IANA registered for: Dell SupportAssist data center management (TCP) |
| 5701 |
tcp |
applications |
not scanned |
Open-Xchange AppSuite could provide weaker than expected security, caused by the use of Hazelcast based cluster API implementation at the backend with default configuration to listen all network interfaces at TCP port 5701. By sending a specially-crafted request to connect a malicious server, a remote attacker could exploit this vulnerability to modify configuration, scan internal hosts or proxy Internet traffic and gain unauthorized access to devices on the internal network.
References: [CVE-2013-5200], [XFDB-86975] |
| 5705 |
tcp |
storageos |
not scanned |
IANA registered for: StorageOS REST API |
| 5714 |
tcp |
trojan |
Premium scan |
WinCrash [Symantec-2000-121909-3241-99], WinCrash 3 (TCP) |
| 5720 |
tcp,udp |
applications |
not scanned |
Jumi Controller |
| 5721 |
tcp,udp |
dtpt |
not scanned |
Kaseya
IANA registered for: Desktop Passthru Service |
| 5722 |
tcp |
applications |
not scanned |
DFSR.exe in Windows Meeting Space in Microsoft Windows Vista remains available for remote connections on TCP port 5722 for 2 minutes after Windows Meeting Space is closed, which allows remote attackers to have an unknown impact by connecting to this port during the time window.
References: [CVE-2007-1534], [OSVDB-33668]
Port is also IANA registered for Microsoft DFS Replication Service |
| 5723 |
tcp,udp |
omhs |
not scanned |
IConnectHere
IANA registered for: Operations Manager - Health Service |
| 5727 |
tcp |
asgenf |
not scanned |
ASG Event Notification Framework |
| 5728 |
tcp |
io-dist-data |
not scanned |
Dist. I/O Comm. Service Data and Control |
| 5728 |
udp |
io-dist-group |
not scanned |
Dist. I/O Comm. Service Group Membership |
| 5730 |
tcp,udp |
games |
not scanned |
Metal Gear Solid 3 Subsistence |
| 5732 |
tcp |
worm |
Members scan |
W32.Bolgi.Worm [Symantec-2003-112019-2425-99] (2003.11.20) - a network aware worm that propagates by exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability using TCP port 445 |
| 5737 |
udp |
applications |
not scanned |
eDonkey |
| 5741 |
tcp |
trojan |
Premium scan |
WinCrash [Symantec-2000-121909-3241-99], WinCrash 3 (TCP)
IDA Discover Port 1 (TCP/UDP) [MPITech Support] (IANA official) |
| 5742 |
tcp |
trojan |
Premium scan |
WinCrash [Symantec-2000-121909-3241-99] trojan. Aliases: BackDoor.M, Backdoor.Wincrash, W95/Backdoor.WinCrash
Turkojan also uses port 5742 (TCP/UDP).
IDA Discover Port 2 (TCP/UDP) [MPITech Support] (IANA official) |
| 5743 |
tcp,udp |
applications |
not scanned |
Turkojan |
| 5744 |
tcp,udp |
applications |
not scanned |
Turkojan |
| 5745 |
tcp,udp |
applications |
not scanned |
Turkojan |
| 5748 |
tcp |
trojans |
Premium scan |
Backdoor.Ranky.B [Symantec-2003-091917-5557-99] (2003.09.17) - a trojan horse that runs as a proxy server. By default, the trojan opens port 5748.
Port is also IANA registered for Wildbits Tunalyzer |
| 5753 |
tcp |
cognex |
not scanned |
Cognex In-Signt (IANA official) uses these ports:
68 udp - DHCP In-Signt vision system only
502 tcp - Modbus
1069 tcp/udp - In-Sight
1070 tcp - machine status data
2222 udp - Ethernet IP
5753 tcp - audit message server
44818 tcp/udp - Ethernet IP
51069 tcp - In-Sight secure |
| 5760 |
tcp |
trojan |
Premium scan |
Portmap Remote Root Linux Exploit
eShare Chat Server also uses this port. |
| 5761 |
tcp,udp |
applications |
not scanned |
eShare Web Tour |
| 5764 |
tcp,udp |
applications |
not scanned |
eShare Admin Server |
| 5777 |
tcp,udp |
games |
not scanned |
Rainbox Six 3: Raven Shield, developer: Ubisoft Montreal
Control commands and responses (IANA official) |
| 5778 |
tcp,udp |
games |
not scanned |
Rainbox Six 3: Raven Shield, developer: Ubisoft Montreal |
| 5780 |
tcp |
vts-rpc |
not scanned |
Visual Tag System RPC |
| 5784 |
udp |
ibar |
not scanned |
Cisco Interbox Application Redundancy |
| 5786 |
udp |
worm |
not scanned |
W32.Wergimog.B [Symantec-2012-051704-2659-99] (2012.05.16) - a worm that attempts to spread through removable drives. It also opens a back door and may steal information from the compromised computer.
Port is also used by Cisco Redundancy notification |
| 5787 |
udp |
waascluster |
not scanned |
IANA registered for: Cisco WAAS Cluster Protocol |
| 5794 |
udp |
spdp |
not scanned |
Simple Peered Discovery Protocol |
| 5798 |
tcp |
enlabel-dpl |
not scanned |
Proprietary Website deployment service (IANA official) |
| 5799 |
tcp,udp |
applications |
not scanned |
ECC Server |
| 5800 |
tcp |
vnc |
Members scan |
VNC (Virtual Network Computing) - remote control programs, typically also use ports 5800+ and 5900+ for additional machines.
Backdoor.Evivinc [Symantec-2004-042518-0520-99] trojan also uses this port. |
| 5802 |
tcp |
trojan |
Premium scan |
Y3K RAT trojan |
| 5810 |
tcp |
trojan |
Premium scan |
Y3K RAT |
| 5814 |
tcp,udp |
spt-automation |
not scanned |
IANA registered for: Support Automation |
| 5820 |
tcp |
autopassdaemon |
not scanned |
AutoPass licensing (IANA official) |
| 5823 |
tcp |
malware |
not scanned |
Trojan-Proxy.Win32.Daemonize.i / Remote Denial of Service - Daemonize.i listens on TCP port 5823, sending some junk packets to the trojan results in invalid pointer read leading to an access violation and crash.
References: [MVID-2021-0102] |
| 5827 |
tcp,udp |
games |
not scanned |
World Championship Snooker |
| 5842 |
tcp |
reversion |
not scanned |
Key Management Interoperability Protocol
Reversion Backup/Restore [Cameo Systems Inc] (IANA official) |
| 5843 |
tcp,udp |
applications |
not scanned |
IIS Admin Service |
| 5850 |
tcp |
applications |
not scanned |
COMIT SE (PCR) |
| 5852 |
tcp |
applications |
not scanned |
Adeona client: communications to OpenDHT |
| 5858 |
tcp |
trojan |
Premium scan |
Y3K RAT trojan
inSpeak Communicator also uses this port.
Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.
References: [CVE-2018-12120], [BID-106040]
|
| 5859 |
tcp,udp |
wherehoo |
not scanned |
Backdoor.Win32.Armagedon.R / Hardcoded Cleartext Credentials - the malware listens on TCP port 5859 and requires authentication. The password "KOrUPtIzEre" is stored in cleartext within the PE file at offset 0x4635f. Connecting to the backdoor returns the value "1" then enter the password.
References: [MVID-2024-0670]
WHEREHOO (IANA official) |
| 5864 |
tcp,udp |
applications |
not scanned |
BiblioFile |
| 5868 |
tcp,sctp |
diameters |
not scanned |
Diameter over TLS/TCP [IESG] (IANA official) [RFC 6733] |
| 5873 |
tcp |
trojan |
Premium scan |
SubSeven 2.2 trojan |
| 5880 |
tcp |
trojan |
Members scan |
BD Y3K RAT [Symantec attack signature ID 20264] - a backdoor trojan allowing unauthorized access to the compromised computer. Y3K RAT typically runs from the server file "C:\WINDOWS\RundlI.exe" over TCP ports 5882, 5888, and 5889. |
| 5881 |
udp |
trojan |
not scanned |
BD Y3K RAT [Symantec attack signature ID 20264] - a backdoor trojan allowing unauthorized access to the compromised computer. Y3K RAT typically runs from the server file "C:\WINDOWS\RundlI.exe" over TCP ports 5882, 5888, and 5889. May also use port 5881/UDP |
| 5882 |
tcp |
trojan |
Members scan |
BD Y3K RAT [Symantec attack signature ID 20264] - a backdoor trojan allowing unauthorized access to the compromised computer. Y3K RAT typically runs from the server file "C:\WINDOWS\RundlI.exe" over TCP ports 5882, 5888, and 5889. |
| 5883 |
tcp |
trojan |
Premium scan |
Y3K RAT trojan
IANA registered for: Javascript Unit Test Environment |
| 5884 |
tcp |
trojan |
Members scan |
BD Y3K RAT [Symantec attack signature ID 20264] - a backdoor trojan allowing unauthorized access to the compromised computer. Y3K RAT typically runs from the server file "C:\WINDOWS\RundlI.exe" over TCP ports 5882, 5888, and 5889. |
| 5885 |
tcp |
trojan |
Premium scan |
Y3K RAT trojan
The WePresent WiPG-1500 device with firmware 1.0.3.7 has a manufacturer account that has a hardcoded username / password. Once the device is set to DEBUG mode, an attacker can connect to the device using the telnet protocol and log into the device with the 'abarco' hardcoded manufacturer account. This account is not documented, nor is the DEBUG feature or the use of telnetd on port tcp/5885.
References: [CVE-2017-6351], [BID-96588], [XFDB-122553] |
| 5886 |
tcp |
trojan |
Premium scan |
Y3K RAT trojan |
| 5887 |
tcp |
trojan |
Premium scan |
Y3K RAT trojan |
| 5888 |
tcp |
trojan |
Members scan |
BD Y3K RAT [Symantec attack signature ID 20264] - a backdoor trojan allowing unauthorized access to the compromised computer. Y3K RAT typically runs from the server file "C:\WINDOWS\RundlI.exe" over TCP ports 5882, 5888, and 5889. |
| 5889 |
tcp |
trojan |
Members scan |
BD Y3K RAT [Symantec attack signature ID 20264] - a backdoor trojan allowing unauthorized access to the compromised computer. Y3K RAT typically runs from the server file "C:\WINDOWS\RundlI.exe" over TCP ports 5882, 5888, and 5889. |
| 5890 |
tcp |
trojan |
Premium scan |
Y3K RAT trojan |
| 5897 |
udp |
xrdiags |
not scanned |
xrdiags |
| 5898 |
udp |
xrdiags |
not scanned |
xrdiags |
| 5900 |
tcp |
vnc |
Members scan |
VNC (Virtual Network Computing) - remote control programs. VNC typically also uses ports 5800+ and 5900+ for additional machines.
Citrix NetScaler appliance Lights out Management uses ports 4001, 5900, 623 TCP to run a daemon that offers unified configuration management of routing protocols.
Backdoor.Evivinc [Symantec-2004-042518-0520-99] also uses this port.
Some Apple applications use this port as well: Apple Remote Desktop 2.0 or later (Observe/Control feature), Screen Sharing (Mac OS X 10.5 or later)
RealVNC 4.0 and earlier allows remote attackers to cause a denial of service (crash) via a large number of connections to port 5900.
References: [CVE-2004-1750], [BID-11048]
W32.Gangbot [Symantec-2007-012219-2952-99] (2007.01.22) - a worm that opens a back door and connects to an IRC server. It spreads by searching for vulnerable SQL servers and by sending an HTML link to available contacts on instant messenger programs. It also spreads by exploiting the Microsoft Internet Explorer Vector Markup Language Buffer Overflow Vulnerability [BID-20096] and RealVNC Remote Authentication Bypass Vulnerability [BID-17978].
Vino 2.28, 2.32, 3.4.2, and earlier allows remote attackers to read clipboard activity by listening on TCP port 5900.
References: [CVE-2012-4429]
Vino could allow a remote attacker to bypass security restrictions, caused by an error in vino-preferences dialog box when providing information on network accessibility. By sending a specially-crafted UPnP request to TCP port 5900, an attacker could exploit this vulnerability to bypass security restrictions to scan internal hosts or proxy Internet traffic and gain unauthorized access to the vulnerable application.
References: [XFDB-82881], [CVE-2011-1164]
EchoVNC Viewer is vulnerable to a denial of service, caused by an error when allocating heap buffer size. By connecting to a malicious server, a remote attacker could exploit this vulnerability using a malformed request to TCP port 5900 to cause the application to crash.
References: [BID-61545], [XFDB-86113]
A vulnerability has been identified in RAPIDLab 1200 systems / RAPIDPoint 400 systems / RAPIDPoint 500 systems (All versions_without_ use of Siemens Healthineers Informatics products), RAPIDLab 1200 Series (All versions < V3.3 _with_ Siemens Healthineers Informatics products), RAPIDPoint 500 systems (All versions >= V3.0 _with_ Siemens Healthineers Informatics products), RAPIDPoint 500 systems (V2.4.X_with_ Siemens Healthineers Informatics products), RAPIDPoint 500 systems (All versions =< V2.3 _with_ Siemens Healthineers Informatics products), RAPIDPoint 400 systems (All versions _with_ Siemens Healthineers Informatics products). A factory account with hardcoded password might allow attackers access to the device over port 5900/tcp. Successful exploitation requires no user interaction or privileges and impacts the confidentiality, integrity, and availability of the affected device. At the time of advisory publication, no public exploitation of this security vulnerability is known. Siemens Healthineers confirms the security vulnerability and provides mitigations to resolve the security issue.
References: [CVE-2018-4846]
Siemens SINUMERIK Controllers could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow. By sending specially crafted network requests to TCP Port 5900, an attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges.
References: [CVE-2018-11458], [XFDB-154197], [BID-106185]
Remote Framebuffer (TCP/UDP) [RFC6143] (IANA official) |
| 5901 |
tcp |
vnc-1 |
not scanned |
Virtual Network Computer Display 1, IPContact |
