Skip to content
ProtocolPorts

Port reference

Port 16992 (TCP) – Intel AMT / ME

Intel Active Management Technology web/SOAP interface for out-of-band remote management below the operating system.

tcpRegisteredCommonly attacked

Default state

Open on Intel vPro systems with AMT provisioned. Often unmanaged or unprovisioned, leaving the management engine reachable on the network.

Common attacks

  • CVE-2017-5689 authentication bypass using an empty password digest
  • Full out-of-band takeover below the OS (power, KVM, boot media)
  • Scanning for exposed AMT interfaces on 16992/16993
  • Persisting in the management engine beneath the operating system

CVE-2017-5689

Hardening

  • Unprovision AMT/ME where it is not actively used
  • Apply Intel ME firmware updates that fix CVE-2017-5689
  • Never expose 16992/16993 to the internet — isolate management VLANs
  • Require strong AMT admin passwords and enable TLS (16993)
  • Restrict access by IP allowlist to known management stations

nmap snippet

nmap -p16992 --script http-title,banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 16992?

Port 16992 is the HTTP interface for Intel Active Management Technology (AMT), part of the Management Engine (ME) on Intel vPro platforms. It provides out-of-band management — power control, a remote KVM, and boot-media redirection — that runs below the operating system and works even when the host OS is off or crashed. The TLS equivalent listens on 16993.

Why it matters for security

Because AMT operates beneath the OS, control of it means control of the whole machine, independent of any OS-level security. CVE-2017-5689 is the defining flaw: an attacker can authenticate by sending an empty password digest, bypassing authentication entirely and gaining full management control. An exposed, unprovisioned, or unpatched AMT interface is therefore a path to deep, persistent, firmware-level compromise.

How it's attacked

Attackers scan for 16992/16993 and fingerprint the AMT web interface via http-title and banner data. Against vulnerable firmware they exploit CVE-2017-5689 to bypass authentication, then use the legitimate AMT features — power, KVM, and boot redirection — to take over the host below the OS and persist in the management engine.

Hardening checklist

Unprovision AMT/ME on systems that do not use it, and apply the Intel ME firmware updates that fix CVE-2017-5689. Never expose 16992/16993 to the internet — isolate management on a dedicated VLAN, restrict by IP allowlist to known management stations, require strong AMT admin passwords, and enable TLS on 16993. Use the nmap snippet above to find exposed interfaces on hosts you are authorized to assess.

Related ports

Port 16993Port 623Port 3389Port 5900

Frequently asked questions

What makes CVE-2017-5689 so serious?
It lets an attacker authenticate to Intel AMT by sending an empty password digest, bypassing auth entirely. AMT runs below the OS, so a successful bypass grants full control regardless of the installed operating system.
What is the difference between 16992 and 16993?
16992 is the plaintext HTTP interface to Intel AMT; 16993 is the TLS-encrypted equivalent. Both expose the same out-of-band management surface and should be locked down.