Skip to content
ProtocolPorts

Port reference

Port 44818 (TCP/UDP) – EtherNet/IP (CIP)

EtherNet/IP encapsulating the Common Industrial Protocol — controls Allen-Bradley and other CIP PLCs and devices.

tcpudpRegisteredCommonly attacked

Default state

Open on EtherNet/IP PLCs and devices (e.g. Allen-Bradley/Rockwell) with no authentication on the explicit-messaging interface.

Common attacks

  • Identity enumeration of vendor, product, firmware via enip-info
  • Unauthenticated read/write of tags and CIP objects
  • PLC stop/reset and configuration changes over CIP services
  • Denial of service against controllers and adapters

Hardening

  • Never expose port 44818 to the internet — isolate EtherNet/IP on an OT cell
  • Segment with firewalls/DMZ and allowlist authorized controllers/HMIs
  • Enable controller-side protection (trusted slots, key switch RUN mode)
  • Monitor with an ICS IDS for unexpected CIP write/admin services

nmap snippet

nmap -p44818 --script enip-info <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 44818?

Port 44818 carries EtherNet/IP, which encapsulates the Common Industrial Protocol (CIP) for factory automation. It is the backbone of Allen-Bradley / Rockwell and many other vendors' devices. Explicit messaging on TCP/UDP 44818 lets clients read the device identity, read and write tags, and call CIP services, while implicit I/O runs over UDP 2222.

Why it matters for security

The CIP interface on 44818 generally has no authentication. A reachable device freely returns its identity object — vendor, product code, firmware, serial — and accepts read/write of tags and objects. That means anyone who reaches the port can enumerate the controller and, in many cases, change configuration, alter tags, or stop/reset the PLC, directly impacting the production line. Newer CIP Security exists but is rarely enabled.

How it's attacked

Attackers fingerprint controllers with the nmap enip-info script, harvesting identity details to match known CVEs and capabilities. With no authentication they read and write tags, invoke administrative CIP services, and may stop or reset the PLC. Malformed requests can also trigger a denial of service on the controller or adapter.

Hardening checklist

Never expose port 44818 to the internet — keep EtherNet/IP devices in an isolated OT cell behind firewalls and a DMZ, and allowlist only authorized controllers and HMIs. Enable controller-side protection (trusted slots, physical key switch in RUN), apply CIP Security where available, and patch firmware. Add an ICS IDS to flag unexpected CIP write/admin services. Use the nmap snippet above only on systems you are authorized to assess.

Related ports

Port 102Port 502Port 20000Port 47808

Frequently asked questions

Does EtherNet/IP have authentication?
The CIP explicit-messaging interface on port 44818 generally has no authentication, so a reachable device will return its identity and accept tag and object operations. Newer Rockwell controllers add CIP Security, but it is not widely deployed.
What is CIP on EtherNet/IP?
CIP (Common Industrial Protocol) is the application layer; EtherNet/IP is its encapsulation over TCP/UDP. Together they let masters read and write tags and call services on PLCs and field devices in factory automation.