ER605 UDP Port 1900 Open with UPnP Disabled

Have 2.3.0 Build 20250428 Rel.18967 installed on multiple ER605's. They all show UDP Port 1900 being open when the UPnP Service is unchecked/disabled in the web interface.
I was going through a PCI (TSYS credit card compliance) vulnerability scan and it listed UDP1900 (along with 500/4500 IPSec VPN which is being used) as being open. UDP1900 is used with UPnP, but that Service is not Enabled. I checked a few other routers and they report the same thing (used pentest-tools dot com/network-vulnerability-scanning/port-scanner-online-nmap for testing)
I don't know if the port was showing open under 2.2.6, but PCI scans didn't report it in the past.
Anyone else seeing this?
The only service configured on the routers is IPSec VPN. Everything else is not configured/disabled.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Did you use the local Nmap to scan? The link you sent seems to be an online scan. I did not click any external links.
What is the screenshot result like for the scan? Is it filtered or open?
Do you use a controller to control them?
Please mosaic your sensitive information. Here is a list of information considered sensitive:
1. Public IP address on your WAN if your WAN is.
2. Real MAC address of your device.
3. Your personal information including address, domain name, and credentials.
For troubleshooting purposes, when a WAN IP is needed, please leave some values visible for identification.
- Copy Link
- Report Inappropriate Content
pentest is an oniline scan tool.
nmap
ER605 settings:
These are managed via the web interface. No controller is connected to the routers.
They say both, open|filtered, as seen in the screenshots.
- Copy Link
- Report Inappropriate Content
ADIT wrote
pentest is an oniline scan tool.
nmap
ER605 settings:
These are managed via the web interface. No controller is connected to the routers.
They say both, open|filtered, as seen in the screenshots.
Don't mosaic everything. Can you show me your WAN from the router and the Nmap IP? Are they the same IP address?
- Copy Link
- Report Inappropriate Content
I just hit all my routers with an nmap scan on their public wan IP targeting UDP ports 1-2000
My 2 ER605's running 2.3.0 and my ER8411 running 1.3.2 all only reported UDP 500 open (expected as used for vpns)
The final report generated for each router (udp scan only tdue to time constraints) looked like this
Im not super happy that these ports are open-filtered rather that just full unresponsive, but none of them are reporting udp 1900 as open at all.
All routers are in controller mode
- Copy Link
- Report Inappropriate Content
Yes, both are pointed to the same Public IP Address on the WAN. You can see the reverse lookup maps to Verizon FIOS, hence the Public IP.
The screenshots I have were masked and saved.
- Copy Link
- Report Inappropriate Content
I believe there were 3 revision dates of the ER605 2.3.0 firmware prior to release. Mine is listed in the OP.
None are on a Controller.
On a full scan they do show other ports open but since my first issue was a PCI Compliance Scan it only had questions about the IPSec (I have VPNs) and UPnP (it is supposedly disabled) ports.
I also have a problem with the "open|filtered" status of the ports. If the service is disabled they shouldn't report at all.
If it is Open and Filtered, where can I view the filters? This could lead one to think that this device is a Backdoor heaven.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content

Information
Helpful: 0
Views: 409
Replies: 7
Voters 0
No one has voted for it yet.