logo

Port 7680 – Windows Delivery Optimization (WDO)

Service:

WDO / DoSvc

Protocol:

TCP

Port:

7680

Used for:

Peer-to-peer distribution of Windows updates and Microsoft Store apps between devices

Why It’s Open

Port 7680/TCP is the listener for Windows Delivery Optimization (DoSvc), a service introduced with Windows 10 that turns every Windows host into a peer in a P2P overlay for Microsoft Update payloads and Microsoft Store app deliveries. When a host downloads a Windows update, chunks of that update can come from — and be served to — other devices on the same LAN or across the internet, depending on configuration. The service is enabled by default on Windows 10/11 clients and on Windows Server if the DoSvc feature is installed.

Common Risks

  • Internet-facing 7680. On default “Internet” mode, a home or cloud VM can accept WDO connections from arbitrary peers, which is almost never intended and leaks device presence.
  • Metadata and device-presence leakage. An open 7680 reliably confirms a host is running a modern Windows build, which shrinks an attacker’s fingerprinting work.
  • Elevation-of-privilege bugs in the DoSvc service (see CVEs below) that let a local attacker abuse file share permissions or object handling.
  • WAN cost / bandwidth exhaustion in enterprise networks where branch offices pull update chunks from internet peers instead of from a local WSUS or distribution point.
  • Supply-chain trust surface. P2P delivery means you’re trusting Microsoft’s signing, not your peer — any crypto weakness in that validation chain has a large blast radius.

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

logo-cta

Enumeration & Testing

Check if the port is open

Terminal window
nmap -Pn -p 7680 -sV <target>

Scan a subnet for exposed DoSvc

Terminal window
nmap -Pn -p 7680 --open <target>/24

Fingerprint with banner script

Terminal window
nmap -Pn -p 7680 --script=banner <target>

Check the service on a Windows host

Terminal window
Get-Service -Name DoSvc
Get-DeliveryOptimizationStatus
Get-DeliveryOptimizationPerfSnap


# Show active listeners
Get-NetTCPConnection -LocalPort 7680 -State Listen
netstat -an | findstr :7680

Inspect current DO policy

Terminal window
Get-DeliveryOptimizationLog -Flush | Out-File $env:TEMP\do.log
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config

What to Look For

CheckpointWhat it means
7680 reachable from the public internetDevice is almost certainly misconfigured — DO should be LAN-only
DownloadMode = 3 (Internet)Machine will peer with arbitrary internet hosts
DownloadMode = 0DO disabled, port should not be listening
DoSvc running on a Server buildUnusual — confirm whether the feature is intentionally enabled
Unpatched builds predating CVE-2020-0983Local elevation-of-privilege exposure

Known CVEs

  • CVE-2017-11829 — Windows Update Delivery Optimization elevation of privilege via improper file share permissions.
  • CVE-2019-1289 — Windows Update Delivery Optimization elevation of privilege (same class).
  • CVE-2020-0983 — Delivery Optimization service improper object-in-memory handling, elevation of privilege.
  • CVE-2022-24542 — Delivery Optimization elevation of privilege vulnerability.

Mitigation

  • Block TCP/7680 at the perimeter firewall. There is no legitimate reason WDO should be reachable from the public internet.
  • Set DownloadMode to LAN-only (1) or Group (2) via Group Policy or MDM:
    • GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Download Mode
    • Intune: DeliveryOptimization/DODownloadMode
    • Registry: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DODownloadMode
  • Use a Group ID so only trusted peers within a site share payloads.
  • Disable DoSvc entirely where P2P update distribution is not needed:
    Terminal window
    Stop-Service DoSvc
    Set-Service DoSvc -StartupType Disabled
  • Keep Windows patched. All disclosed WDO CVEs to date have been elevation of privilege and are fixed by applying the normal Patch Tuesday rollup.
  • Prefer WSUS or Configuration Manager for update distribution in enterprise environments — Delivery Optimization complements these, it doesn’t replace them.

Real-World Example

Security researchers have periodically found public-facing Windows cloud VMs with TCP/7680 open to the internet because the operator didn’t lock down the NSG or Security Group after deploying a standard Windows image. The exposure rarely leads to RCE on its own, but it reliably identifies Windows hosts in shodan.io sweeps and feeds attacker fingerprinting pipelines.

TL;DR

  • Service: Windows Delivery Optimization (DoSvc)
  • Default port: 7680/TCP
  • Biggest risk: unintended internet-facing exposure + local EoP CVEs
  • Mitigation: block at perimeter, set DownloadMode to LAN/Group, disable DoSvc if unused, patch promptly