Skip to content
ProtocolPorts

Port reference

Port 32764 (TCP) – SerComm Router Backdoor

A real OEM router backdoor on SerComm-built devices that exposes remote command execution and config dumping over port 32764.

tcpRegisteredCommonly attacked

Default state

Not a legitimate service. A listening 32764 on a home/SOHO router signals the SerComm OEM backdoor and should be closed immediately.

Common attacks

  • Remote command execution via the SerComm router backdoor
  • Dumping of router configuration and credentials
  • Resetting the device to factory state without authentication
  • Mass scanning of SOHO routers for the exposed backdoor

Hardening

  • Apply the vendor firmware update that removes the SerComm backdoor
  • Never expose router management or 32764 to the WAN/internet
  • Block inbound 32764 at the perimeter and on the device firewall
  • Replace end-of-life routers that will never be patched

nmap snippet

nmap -p32764 -sV --script banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 32764?

Port 32764 is not a legitimate service — it is the listener for a real OEM router backdoor found in many home and SOHO routers manufactured by SerComm (sold under various brands). Researchers exposed it around the TheMoon worm era. A service on TCP 32764 accepts unauthenticated commands, letting anyone who can reach it dump configuration, read credentials, run commands, or factory-reset the router.

Why it matters for security

Because the backdoor requires no authentication, an open 32764 means full remote control of the router — the gateway for the entire network behind it. An attacker can harvest the admin password and Wi-Fi keys, alter DNS to redirect traffic, or brick the device. If the port is reachable from the WAN side, the whole network is trivially compromised.

How it's attacked

Attackers and worms mass-scan SOHO routers for an open 32764 and send crafted requests to execute commands or dump the config. The TheMoon worm used exposed router weaknesses to spread between devices. No exploit chain is needed once the backdoor is reachable — the listener accepts commands directly.

Hardening checklist

Apply the vendor firmware update that removes the SerComm backdoor. Never expose router management or port 32764 to the WAN/internet, and block inbound 32764 at the perimeter and on the device firewall. Replace end-of-life routers that will never be patched. The nmap snippet above grabs the banner on devices you are authorized to test.

Related ports

Port 23Port 4444Port 12345Port 31337

Frequently asked questions

What is the port 32764 backdoor?
It is a real OEM backdoor found in routers built by SerComm. A service listening on TCP 32764 accepts unauthenticated commands that can dump config, run commands, or factory-reset the device.
How do I fix the 32764 backdoor?
Install the vendor firmware update that removes the backdoor, never expose port 32764 or router management to the internet, and replace end-of-life devices that will never receive a patch.