logo

Port 1720 Exploit – H.323 Protocol

Service:

h.323

Protocol:

TCP

Port:

1720

Used for:

Video/VoIP call setup

Why It’s Open

Port 1720 is typically open on devices running H.323-based services, such as video conferencing systems (e.g., Polycom, Cisco TelePresence), IP phones, or Unified Communications gateways. H.323 is used to set up and manage multimedia sessions over IP networks, and port 1720 specifically handles call signaling (Q.931 protocol) to initiate or negotiate calls.

Common Risks

Although H.323 is a legitimate protocol, leaving port 1720 exposed—especially on the public internet—can result in:

  • Unauthorized Call Setup: Attackers could initiate calls, potentially consuming resources or enabling eavesdropping attempts.
  • Protocol Fingerprinting & Reconnaissance: Exposed H.323 services may reveal device types, vendor versions, or software stacks via banner grabbing or malformed packets.
  • Service Exploitation: Numerous vulnerabilities (buffer overflows, DoS, RCE) have been found in H.323 implementations due to weak input validation.
  • Brute-force or Credential Harvesting: If authentication is weak or misconfigured, attackers can attempt SIP/H.323 login brute-forcing.

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

logo-cta

Known Exploits

  • CVE-2020-14305 – Buffer overflow in ekiga SIP and H.323 VoIP softphone.
  • CVE-2011-3277 – Cisco TelePresence system DoS vulnerability via malformed packets on port 1720.
  • CVE-2010-0582 – Microsoft Windows H.323 protocol stack buffer overflow (RCE).
  • CVE-2010-0583 – Another Microsoft Windows H.323 stack vulnerability allowing denial of service.
  • CVE-2009-2866 – Asterisk H.323 module remote crash via malformed TPKT packet.
  • CVE-2003-0819 – OpenH323 stack DoS via malformed Q.931 SETUP packet on TCP/1720.

Enumeration & Testing

Check if it’s open

Terminal window
nmap -sT -p 1720

Check with Nmap’s H.323 script

Terminal window
nmap -p 1720 --script h323-info

Use a VoIP scanner

Tools like sipvicious, VOIPER, or H.323 exploit scripts can help assess exposure and responses.

What to Look For

CheckpointWhat it means
Port 1720 open externallyH.323 service exposed, should be internal only
Banner reveals vendor infoVulnerable to fingerprinting and targeted exploitation
No authentication configuredAnyone can initiate call setup or probe the device
Leaking version infoKnown vulnerable firmware

Mitigation

Block TCP/1720 on perimeter firewalls unless the device is explicitly meant for internet-facing VoIP traffic.

  • Restrict access to trusted IP ranges only.
  • Disable unused VoIP protocols (e.g., H.323 if using SIP).
  • Enable authentication and encryption for H.323 call setups.
  • Update firmware/software on all H.323-enabled devices regularly to patch known CVEs.
  • Implement VoIP-aware IDS/IPS to monitor H.323 traffic for anomalies.

Real World Example

In past assessments, public-facing video conferencing devices using port 1720 were found leaking internal IP addresses, vendor details, and even allowing call setup without authentication. Older firmware versions were susceptible to denial-of-service and remote code execution vulnerabilities, such as CVE-2010-0582 and CVE-2003-0819.

TL;DR

  • Port 1720 = H.323 = Video/VoIP call setup
  • Should NOT be open to the internet
  • Scan for open services, banner leaks, and authentication gaps
  • Apply firmware updates, restrict access, and monitor VoIP traffic