Port reference
Port 1911 (TCP) – Tridium Niagara Fox
Fox protocol used by Tridium Niagara building-automation framework to connect stations, JACE controllers, and workbench tools.
Default state
Open on Tridium Niagara JACE controllers and Supervisor stations running the Fox service (1911 plain, 4911 TLS).
Common attacks
- Station and version enumeration via the fox-info script
- Exploitation of known Niagara CVEs (path traversal, weak crypto)
- Credential brute force and default-account abuse
- Internet exposure discovery via Shodan/Censys
Hardening
- Never expose port 1911/4911 to the internet — keep BAS on an isolated network
- Patch Niagara to a current release and remove default accounts
- Use the TLS Fox port (4911) and enforce strong unique credentials
- Segment with firewalls and restrict access to authorized engineering hosts
nmap snippet
nmap -p1911 --script fox-info <target>Replace <target> with the host or range you're authorized to scan.
What runs on port 1911?
Port 1911 carries the Fox protocol, the communication layer of the Tridium Niagara building-automation framework (Niagara AX and N4). It connects JACE field controllers, Supervisor stations, and the Workbench engineering tool, managing HVAC, lighting, access control, and energy systems. The plaintext service runs on 1911; the TLS-secured variant uses 4911.
Why it matters for security
Niagara is widely deployed across commercial buildings, hospitals, and campuses, and many stations are configured with default accounts or outdated firmware. A reachable Fox service exposes the platform's configuration and management interface, and historical flaws such as CVE-2012-4701/4702 allowed path traversal and credential disclosure. Thousands of stations have been indexed on Shodan, making them easy targets for opportunistic attackers and a pivot into the building's controls.
How it's attacked
Attackers fingerprint stations with the nmap fox-info script, which returns
station name, version, and host details. They then check for unpatched CVEs,
default credentials, and weak crypto, or simply brute-force logins. Once in, an
attacker controls building systems and can pivot deeper into the OT network.
Hardening checklist
Never expose 1911 or 4911 to the internet — keep building automation on an isolated network behind firewalls. Patch Niagara to a current release, remove default accounts, and enforce strong unique credentials. Prefer the TLS Fox port 4911, and restrict access to authorized engineering hosts only. Use the nmap snippet above solely on systems you are authorized to assess.
Related ports
Frequently asked questions
- What is the Fox protocol on port 1911?
- Fox is the proprietary protocol of the Tridium Niagara building-automation framework. It links JACE controllers, Supervisor stations, and the Workbench tool. Port 1911 is plaintext; 4911 is the TLS variant.
- Is Niagara Fox safe to expose online?
- No. Niagara stations have a history of CVEs and weak default configurations, and thousands have been found exposed on Shodan. Building automation should never be directly reachable from the internet.