The Broadband Guide
SG
search advanced

Vulnerable Ports

This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats. We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please . Any feedback and suggestions can also be posted to our Security forum.

 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |....| 55 
Port(s) Protocol Service Scan level Description
 710 tcp,udp entrust-ash not scanned Entrust Administration Service Handler (IANA official)
 712 tcp,udp tbrpf not scanned TBRPF (IANA official) [RFC 3684]
 714 tcp,udp iris-xpcs not scanned IRIS over XPCS (IANA official) [RFC 4992]
 715 tcp,udp iris-lwz not scanned IRIS-LWZ (IANA official) [RFC 4993]
 716 udp pana not scanned PANA Messages (IANA official) [RFC 5191]
 722 tcp,udp applications not scanned A FreeBSD patch for SSH on 2000-01-14 configures ssh to listen on port 722 as well as port 22, which might allow remote attackers to access SSH through port 722 even if port 22 is otherwise filtered.
References: [CVE-2000-0532], [BID-1323]
 729 tcp,udp netviewdm1 not scanned IBM NetView DM/6000 Server/Client (IANA official)
 730 tcp,udp netviewdm2 not scanned Fortinet FortiGate uses the following ports (in addition to standard ports 53, 80, 443):
514 tcp - FortiAP logging and reporting
541 tcp, 542 tcp - FortiGuard management
703 tcp/udp. 730 udp - FortiGate heartbeat
1000 tcp, 1003 tcp - policy override keepalive
1700 tcp - FortiAuthenticator RADIUS disconnect
5246 udp - FortiAP-S event logs
8000, 8001 tcp - FortiClient SSO mobility agent
8008, 8010 tcp - policy override authentication
8013 tcp - FortiClient v.5.4
8014 tcp - Forticlient v.6
8890 tcp - AV/IPS updates, management, firmware
9443 udp - AV/IPS
9582 tcp - FortiGuard Cloud App DB (flow.fortinet.net)


IBM NetView DM/6000 send/tcp (IANA official)
 731 tcp,udp netviewdm3 not scanned IBM NetView DM/6000 receive/tcp (IANA official)
 741 tcp,udp netgw not scanned netGW (IANA official)
 742 tcp,udp netrcs not scanned Network based Rev. Cont. Sys. (IANA official)
 744 tcp,udp flexlm not scanned Flexible License Manager (IANA official)
 747 tcp,udp fujitsu-dev not scanned Fujitsu Device Control (IANA official)
 748 tcp,udp ris-cm not scanned Russell Info Sci Calendar Manager (IANA official)
 749 tcp,udp kerberos not scanned Kerberos administration
Related ports: 88,464,543,544,751
 751 tcp,udp pump not scanned Port used by kerberos_master, Kerberos 'kadmin' (v4) authentication.
IANA assigned to: pump
 758 tcp,udp nlogin not scanned nlogin (IANA official)
 759 tcp,udp con not scanned con (IANA official)
 760 tcp,udp ns not scanned ns
 761 tcp kpasswd not scanned Kerberos Password (kpasswd, kpwd), rxe
 762 tcp,udp quotad not scanned Quotad
 763 tcp,udp cycleserv not scanned Cycleserv
 764 tcp,udp omserv not scanned Omserv
 765 tcp,udp webster not scanned Webster Network Dictionary
 767 tcp,udp phonebook not scanned phone (IANA official)
 769 tcp,udp vid not scanned Vid
 770 tcp,udp cadlock not scanned Cadlock
 771 tcp,udp rtip not scanned Rtip
 772 tcp,udp cycleserv2 not scanned Cycleserv2
 773 tcp submit not scanned Submit
 773 udp notify not scanned Notify
 774 udp acmaint-dbd not scanned Acmaint_dbd (IANA official)
 774 tcp rpasswd not scanned Rpasswd
 775 udp acmaint-transd not scanned Acmaint_transd (IANA official)
 775 tcp entomb not scanned Entomb
 776 tcp,udp wpages not scanned Wpages
 777 tcp multiling-http Members scan Trojans that use this port: AimSpy (AIM trojan), Un-Detected ( a.k.a. Backdoor.TDS, 4Fuk, Trojan.Win32.TrojanRunner.Levil, U4 ).

Heap-based buffer overflow in HistorySvr.exe in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a long request to TCP port 777.
References: [CVE-2011-0406], [BID-45727]

Port also IANA registered for Multiling HTTP
 778 tcp trojan Premium scan BackDoor.Netcrack.B [Symantec-2004-041311-0342-99]
 780 tcp,udp wpgs not scanned Wpgs
 781 tcp,udp hp-collector not scanned HP Performance Data - Collector
 782 tcp,udp hp-managed-node not scanned HP Performance Data - Managed Node
 783 tcp,udp hp-alarm-mgr not scanned HP Performance Data - Alarm Manager

SpamAssassin spamd daemon
 785 tcp trojan Premium scan NetworkTerrorist
 786 tcp,udp concert not scanned Concert
 787 tcp,udp qsc not scanned QSC
 798 tcp trojan Premium scan Oracle
 799 tcp applications not scanned Remotely Possible (ControlIT)
 800 tcp trojan Premium scan NeuroticKitten
 801 tcp games not scanned Dark Ages of Camelot

Stack consumption vulnerability in WebContainer.exe 1.0.0.336 and earlier in SLMail Pro 6.3.1.0 and earlier allows remote attackers to cause a denial of service (daemon crash) via a long request header in an HTTP request to TCP port 801.
References: [CVE-2008-1689], [BID-28505]

WebContainer.exe 1.0.0.336 and earlier in SLMail Pro 6.3.1.0 and earlier allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a long URI in HTTP requests to TCP port 801. NOTE: some of these details are obtained from third party information.
References: [CVE-2008-1690] [BID-28505] [SECUNIA-29614]

device (IANA official)
 804 tcp sparx not scanned Enterprise Architect (Sparx Systems) WebConfig uses port 804 for http and 805 for https traffic by default.
 805 tcp sparx not scanned Enterprise Architect (Sparx Systems) WebConfig uses port 804 for http and 805 for https traffic by default.
 808 tcp trojan Premium scan Port used by Microsoft Net.TCP Port Sharing Service

Citrix StoreFront Server uses port 808 TCP for subscription replication services between associated clusters.

WinHole trojan

Progea Movicon is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when handling the Content-Length header. By sending a specially-crafted request to TCP port 808, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [CVE-2011-3491], [BID-49605]

Backdoor.Win32.BO2K.09.b / Unauthenticated Remote Command Execution - backdoor BO2K.09.b listens on TCP ports 707 and 808. Third party adversarys who can reach the system, can execute any command on the infected host using sockets or get a remote shell using telnet, curl etc.
References: [MVID-2021-0120]
 809 tcp,udp applications not scanned Wingate VPN
 810 tcp fcp-udp not scanned Backdoor.Win32.Augudor.b / Remote File Write Code Execution - the malware drops an empty file named "zy.exe" and listens on TCP port 810. Third-party adversaries who can reach the infected host can write executable code to the empty "zy.exe" file on the system via a socket program and it will execute as soon as the binary transfer has completed. Successfully tested with a 880 byte executable.
References: [MVID-2022-0644]

FCP (IANA official)
 810 udp fcp-udp not scanned FCP Datagram (IANA official)
 815 tcp,udp trojan not scanned Everyone's Darling trojan horse
 828 tcp,udp itm-mcell-s not scanned itm-mcell-s (IANA official)
 829 tcp trojans Premium scan Backdoor.Uzbet (2003.07.17) - a trojan that runs as a proxy server under Windows 2000/XP

Port used by CMP (Certificate Management Protocol) (unofficial) for managing Public Key Infrastrictures (PKI) based on X.509v3 certificates.

Port also IANA registered for PKIX-3 CA/RA
 830 tcp,udp netconf-ssh not scanned NETCONF over SSH (IANA official) [RFC 6242]
 831 tcp trojan Premium scan NeuroticKat

NETCONF over BEEP (IANA official) [RFC 4744]
 832 tcp,udp netconfsoaphttp not scanned NETCONF for SOAP over HTTPS (IANA official) [RFC 4743]
 833 tcp,udp netconfsoapbeep not scanned NETCONF for SOAP over BEEP (IANA official) [RFC 4743]
 843 tcp applications not scanned Adobe Flash socket policy server
 848 udp applications not scanned The default configuration of the Group Encrypted Transport VPN (GET VPN) feature on Cisco IOS uses an improper mechanism for enabling Group Domain of Interpretation (GDOI) traffic flow, which allows remote attackers to bypass the encryption policy via certain uses of UDP port 848, aka Bug ID CSCui07698.
References: [CVE-2013-3436]

GDOI (TCP/UDP) (IANA official) [RFC 3547]
 853 tcp,udp domain-s not scanned DNS over QUIC / TLS uses port 853/udp

DNS query-response protocol [IESG] [RFC7858]

DNS-over-QUIC via 853/udp (IANA official)
 854 tcp,udp dlep not scanned IANA registered for: Dynamic Link Exchange Protocol (DLEP)
 860 tcp,udp iscsi not scanned iSCSI (IANA official) [RFC 7143]
 861 tcp,udp owamp-control not scanned OWAMP-Control (IANA official) [RFC 4656]
 862 tcp,udp twamp-control not scanned Two-way Active Measurement Protocol (TWAMP) Control (IANA official) [RFC 5357]
 871 tcp supfilesrv not scanned SUP server
 873 tcp applications not scanned QNAP NAS uses the following ports:
Web server: 80,8081 TCP and 443,8080 TCP (web admin)
FTP/SFTP/SSH: 20,21,22 TCP and 13131 TCP (telnet)
Remote Replication: 873,8899 TCP
VPN server: 1723 TCP (PPTP), 1194 UDP (OpenVPN)
CloudLink: port 20001 UDP (optional, only required for access without manual port forwarding)

The ANTlabs InnGate firmware on IG 3100, IG 3101, InnGate 3.00 E, InnGate 3.01 E, InnGate 3.02 E, InnGate 3.10 E, InnGate 3.01 G, and InnGate 3.10 G devices does not require authentication for rsync sessions, which allows remote attackers to read or write to arbitrary files via TCP traffic on port 873.
References: [CVE-2015-0932]

F5 BIG-IP could allow a remote attacker to execute arbitrary code on the system, caused by an error within the ConfigSync Access Control Handler component. By connecting to the rsync service on TCP port 873, an attacker could exploit this vulnerability to gain read or write access to the system and execute arbitrary code on the system with root privileges.
References: [XFDB-95624], [EDB-34465], [CVE-2014-2927]

rsync (TCP/UDP) (IANA official)
 876 tcp,udp applications not scanned ICL coNETion locate server
 877 tcp,udp applications not scanned ICL coNETion server info
 880 tcp trojan not scanned Common Port for phishing scam sites
 881 tcp lync not scanned Microsoft Lync server uses these ports:
444, 445, 448, 881, 5041, 5060 - 5087, 8404 TCP
80, 135, 443, 4443, 8060, 8061, 8080 TCP - standard ports and HTTP(s) traffic
1434 UDP - SQL
49152-57500 TCP/UDP - media ports

McAfee ePO uses these ports:
80, 443, 8443, 8444 TCP - HTTP(S) traffic
389, 646 - LDAP, LDAPS
881 TCP - receiving security threat feed
1433 TCP, 1434 UDP - communication with SQL server
8081 TCP - outbound wakeup requests from the McAfee ePO server
8082 UDP - outbound traffic from superagents forwarding server messages
 888 tcp,udp accessbuilder not scanned Mediaserver.exe in ALLMediaServer 1.6 has a stack-based buffer overflow that allows remote attackers to execute arbitrary code via a long string to TCP port 888, a related issue to CVE-2017-17932.
References: [CVE-2022-28381]

AccessBuilder (IANA official)
 890 tcp trojans not scanned Backdoor.Dsklite [Symantec-2003-070113-4113-99] (2003.07.01) - a backdoor trojan horse that gives the author of the trojan full access to an infected computer. By default, this trojan listens on port 890.

Trojan-Dropper.Win32.Hamer.10 / Remote Floating-point Exception DoS - Trojan Hamer.10 listens on TCP port 890, after receiving a SYN packet it also opens up TCP port 891. Sending an arbitrary junk payload to port 891 results in Floating-point exception and malware crash. Therefore, to exploit this issue we can send two consecutive packets one to port 890 which will in turn open port 891.
References: [MVID-2021-0125]
 891 tcp,udp malware not scanned Trojan-Dropper.Win32.Hamer.10 / Remote Floating-point Exception DoS - Trojan Hamer.10 listens on TCP port 890, after receiving a SYN packet it also opens up TCP port 891. Sending an arbitrary junk payload to port 891 results in Floating-point exception and malware crash. Therefore, to exploit this issue we can send two consecutive packets one to port 890 which will in turn open port 891.
References: [MVID-2021-0125]
 895 tcp,udp applications not scanned Hotspot Shield runs a webserver with a static IP address 127.0.0.1 and port 895. The web server uses JSONP and hosts sensitive information including configuration. User controlled input is not sufficiently filtered: an unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine, including whether the user is connected to a VPN, to which VPN he/she is connected, and what is their real IP address.
References: [CVE-2018-6460], [EDB-44042]
 900 udp games not scanned Command and Conquer Generals Zero Hour, Black and White

OMG Initial Refs (TCP/UDP) (IANA official)
 901 tcp trojans Members scan NetDevil [Symantec-2002-021310-3452-99] (2002.02.13) - remote access trojan. Affects Windows 9x/Me/NT/2k/XP

Port IANA registered for SMPNAMERES

Also used by VMware Virtual Infrastructure Client, Samba SWAT tool, ISS RealSecure Sensor
 902 tcp trojans Premium scan VMware Server Console port. VMware also uses TCP ports 443, 902.
Ideafarm Chat
ISS RealSecure Sensor

NetDevil [Symantec-2002-021310-3452-99] (2002.02.13) - remote access trojan. Affects Windows 9x/Me/NT/2k/XP

Port IANA registered for self documenting Telnet Door
 903 tcp trojans Premium scan VMware Remote Console port. VMware Authentication Daemon Version 1.10. Also used by vSphere clients and vSphere Web Access. Also uses TCP ports 443, 902.

Port also used by Ideafarm-catch, ISS Console Manager.

NetDevil [Symantec-2002-021310-3452-99] (2002.02.13) - remote access trojan. Affects Windows 9x/Me/NT/2k/XP

Port IANA registered for self documenting Telnet Door
 905 tcp trojans not scanned Backdoor.NetDevil.B [Symantec-2002-122712-0302-99] (2002.12.27) - a variant of Backdoor.NetDevil. The trojan allows a hacker to remotely control the infected computer. The trojan opens port 905 for listening.
 910 tcp,udp applications not scanned DATAC RealWin SCADA Server Multiple Remote Buffer Overflow Vulnerabilities
References: [CVE-2011-1563], [BID-46937]

Kerberized Internet Negotiation of Keys (KINK) (IANA official) [RFC 4430]
 911 tcp trojans Premium scan Backdoor.NetCrack [Symantec-2002-082815-5727-99] (2002.08.28) - a backdoor trojan that gives an attacker unauthorized access to an infected computer. By default it opens port 911 on the compromised computer. Backdoor.NetCrack is a Delphi application, packed using UPX v1.05-1.22.

Port is also used by Dark Shadow trojan.

xact-backup (IANA registered)
 912 tcp apex Members scan Port assigned to the APEX (Application Exchange Core) protocol. It is an XML-based protocol designed for sending instant messages based on the Blocks Extensible Exchange Protocol (BEEP).

APEX also uses TCP port 913 as its endpoint-relay service. The APEX protocol has been replaced by the SIP, SIMPLE and XMPP protocols. Port 912 is used primarily to receive and send messages that are originated via the end-points located in port 913. Information sent and received via port 912 includes the endpoint that created it, a URI reference point, the endpoints that will receive it and other options.

RealFlex RealWin is a SCADA server package for medium and small applications designed to control and monitor real-time applications. The RealWin application runs an HMI service on port 912/tcp. This service is vulnerable to two stack-based buffer overflows. One vulnerability is caused by the use of sprintf() in the SCPC_INITIALIZE() and SCPC_INITIALIZE_RF() functions. The second vulnerability is caused by the use of strcpy() in the SCPC_TXTEVENT() function.
References: [CVE-2010-4142], [BID-44150]
 913 tcp,udp apex-edge not scanned VMware Authentication Daemon Version 1.0 (version 1.10 uses TCP port 903). VMware also uses TCP ports 443, 902.

APEX endpoint-relay service (IANA official) [RFC 3340]
 914 udp rift-lies not scanned Routing in Fat Trees Link Information Element (IANA official)
 916 udp applications not scanned The Linksys WAG200G with firmware 1.01.01, WRT54GC 2 with firmware 1.00.7, and WRT54GC 1 with firmware 1.03.0 and earlier allow remote attackers to obtain sensitive information (passwords and configuration data) via a packet to UDP port 916.
References: [CVE-2007-1585], [BID-23063]
 943 tcp silverlight Members scan Port not officially assigned, used by Silverlight Microsoft plugin. Silverlight can add graphics, interactive and multimedia functionality to the Web browser. Port 943 was first used in Silverlight version 2 beta 2 release.

Websites with Silverlight-compatible content will send requests to the computer and access the policy file on port 943. Once the policy file is read, ports 4502-4534 can be used to send data to the Web browser.
 950 tcp rpc.statd Members scan Port used by rpc.statd background process. This daemon is a part of the Network File System (NFS) protocol. This protocol was developed by Sun Microsystems to allow a client to access files that are shared on a network. The rpc.statd daemon is a subsystem of NFS used mostly on UNIX and Linux platforms.

Port 950 can also be used in a malicious way. The port allows direct access to the syslog() function, which may be manipulated by unauthorized users.

The port has been used historically to start a buffer overflow and launch Distributed Denial of Service attacks.
 953 tcp,udp rdns not scanned Domain Name System (DNS) RDNC Service

BIND9 remote name daemon controller (TCP) (IANA registered)
 956 tcp trojan Premium scan Crat Pro
 959 tcp,udp applications not scanned Mac OS X RPC-based services. Used by NetInfo.
 983 tcp applications not scanned PlayStation Network and SCEA Game Servers use this port
 985 tcp applications not scanned NetInfo Static Port
 987 tcp,udp applications not scanned SnmpAdm.exe in MAPLE WBT SNMP Administrator v2.0.195.15 has an Unauthenticated Remote Buffer Overflow via a long string to the CE Remote feature listening on Port 987.
References: [CVE-2019-13577], [XFDB-163945]
 988 tcp applications not scanned Lustre (file system) Protocol (data)
 989 tcp ftps Members scan FTPS Protocol, FTP over TLS/SSL (IANA official) uses ports 989 and 990.

Cyclops Blink Botnet uses these ports. The malware has targeted governments, WatchGuard firewalls, ASUS routers, etc., it is active as of March 2022, and it is believed to be operated by the Sandworm threat group linked to Russian intelligence. Cyclops Blink botnet malware uses the following TCP ports: 636, 989, 990, 992, 994, 995, 3269, 8443

Vulnerabilities listed: 100 (some use multiple ports)
News Glossary of Terms FAQs Polls Cool Links SpeedGuide Teams SG Premium Services SG Gear Store
Registry Tweaks Broadband Tools Downloads/Patches Broadband Hardware SG Ports Database Security Default Passwords User Stories
Broadband Routers Wireless Firewalls / VPNs Software Hardware User Reviews
Broadband Security Editorials General User Articles Quick Reference
Broadband Forums General Discussions
Advertising Awards Link to us Server Statistics Helping SG About