Service:
Protocol:
TCP/UDPPort:
5000Used for:
Port 5000 is commonly used for custom web APIs, Docker registries, media services, or management interfaces.Why It’s Open
Port 5000 is frequently used by developers and system administrators to host custom web services, REST APIs, and internal applications. In many environments, it’s the default port for Flask (Python) applications, Express (Node.js) APIs, or administrative panels for monitoring tools. It’s also the default port for Docker’s private registry, used to store and distribute container images within organizations.
Common Risks
Port 5000 is not reserved for a single service and is often overlooked. Exposing it externally can lead to:
- Unauthorized Access to Docker Registries
Private images may be exposed if no authentication is configured. - Information Disclosure
Custom APIs may leak internal logic, environment variables, or debug output. - Exposed Management Interfaces
Legacy VoIP and IoT devices often use this port for administration—sometimes with default credentials. - Abuse in DDoS Reflection Attacks (UDP)
If a media or UPnP service is bound to UDP/5000, it may be leveraged for amplification.
Want to save time on reporting?
Let PentestPad generate, track, and export your reports - automatically.
Enumeration & Testing
Check if TCP/UDP port is open:
nmap -sT -p 5000nmap -sU -p 5000Service detection (TCP):
nmap -sV -p 5000Check for Docker Registry:
curl http://:5000/v2/_catalogUPnP enumeration (UDP):
echo -ne "M-SEARCH * HTTP/1.1\r\nHOST:239.255.255.250:1900\r\nMAN:\"ssdp:discover\"\r\nMX:1\r\nST:ssdp:all\r\n\r\n" | nc -u -w 2 5000What to Look For
| Checkpoint | What it means |
|---|---|
| Docker registry accessible | May expose private container images |
| Web API exposed with no auth | Public access to internal functions or sensitive endpoints |
| Default credentials in use | Management interface may be trivially compromised |
| UPnP/VoIP service responding | May reveal device metadata or be misused in reflection attacks |
Mitigation
- Restrict Access to Port 5000
Block external access unless absolutely required. Allow only trusted IPs. - Secure Docker Registries
Use authentication (htpasswd, OAuth, or LDAP) and TLS encryption. - Disable UPnP and Unused Media Services
Especially on routers and embedded devices. - Disable Debug Mode
On custom apps (e.g., Flask), ensure debug interfaces are disabled in production. - Use Proper Authentication and Rate Limiting
For any web services or APIs running on this port.
Known CVEs and Exploits
Because port 5000 is used by many services, the risks vary by application. Examples include:
- CVE-2021-21330 – Insecure file write in Docker Registry HTTP API.
- CVE-2020-15106 – Docker Registry path traversal in HTTP API.
- CVE-2019-15224 – Polycom VoIP devices with hardcoded credentials over port 5000.
- Exploit – Flask Debug Shell RCE – RCE in Flask web apps when debug mode is enabled (commonly run on 5000).