Service:
Protocol:
TCPPort:
7680Used for:
Peer-to-peer (P2P) sharing of Windows updates and Microsoft Store apps between devices on a local network or the internet to reduce bandwidth usage.Why It’s Open
Port 7680 is used by Windows Delivery Optimization (WDO), a feature in Windows 10 and 11 that allows devices to share updates and Microsoft Store apps via peer-to-peer (P2P) networking. It’s typically open on Windows clients and sometimes on Windows Server if Delivery Optimization is enabled. This service helps reduce bandwidth usage by retrieving updates from local or internet peers instead of downloading everything directly from Microsoft.
Common Risks
While intended to improve efficiency, leaving port 7680 open—especially to public networks—can introduce several risks:
- **NTP Amplification Attacks: **Used in DDoS attacks. A small request from an attacker leads to a large response from the NTP server, overwhelming a target.
- **Information Disclosure: **Misconfigured NTP servers can leak version info, system uptime, and internal IPs.
- **Spoofing/Time Shifting: **Manipulating NTP responses can desynchronize systems, breaking logs or authentication.
Want to save time on reporting?
Let PentestPad generate, track, and export your reports - automatically.
Enumeration & Testing
Check if it’s open
nmap -sT -p 7680Scan for Windows DO Service
nmap --script=banner -p 7680Check traffic with netstat (on Windows)
netstat -an | findstr :7680Known Exploits
- CVE-2017-11829
An elevation of privilege vulnerability exists when Windows Update Delivery Optimization does not properly enforce file share permissions.
- CVE-2019-1289
An elevation of privilege vulnerability exists when Windows Update Delivery Optimization does not properly enforce file share permissions.
- CVE-2020-0983
An elevation of privilege vulnerability exists when the Windows Delivery Optimization service improperly handles objects in memory.
What to Look For
| Checkpoint | What it means |
|---|---|
| Port 7680 open externally | Device might be sharing updates with internet peers |
| High bandwidth usage | Could indicate excessive DO activity |
| No ACL/firewall in place | Risk of abuse from external entities |
| DO allowed on all networks | May share data beyond corporate/LAN boundaries |
Mitigation
- Block TCP/7680 on the perimeter firewall unless explicitly required.
- Configure Group Policy to restrict Delivery Optimization:
- Open gpedit.msc
- Navigate to Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization
- Enable and configure:
- Download Mode: Use LAN or Group instead of Internet
- Restrict Peer Selection: Ensure only internal peers are used
- Disable Delivery Optimization if not needed:
Terminal window Stop-Service DoSvcSet-Service DoSvc -StartupType Disabled
Real World Example
In enterprise networks, misconfigured Delivery Optimization has led to excessive WAN usage, as branch office devices attempted to download updates from internet peers rather than using internal caches or WSUS. In some audit cases, 7680 was found exposed on public IPs, leaking behavioral metadata.
TL;DR
- Port 7680 = Windows Delivery Optimization
- Used for P2P update sharing
- Should not be internet-facing
- Control bandwidth, peer scope, and exposure
- Harden via GPO and firewall rules