Skip to content
ProtocolPorts

Port reference

Port 47808 (UDP) – BACnet

BACnet/IP — building-automation protocol controlling HVAC, lighting, and access via device and object properties.

udpRegisteredCommonly attacked

Default state

Open on BACnet/IP controllers and BAS devices (HVAC, lighting), with no authentication on the protocol.

Common attacks

  • Device and object enumeration via Who-Is / bacnet-info
  • Unauthorized ReadProperty disclosure of building configuration
  • WriteProperty abuse to change setpoints and outputs
  • Denial of service against controllers via malformed APDUs

Hardening

  • Never expose port 47808 to the internet — isolate BACnet on an OT/BAS network
  • Segment with firewalls and restrict broadcasts (BBMD scope)
  • Use BACnet/SC (Secure Connect) where devices support it
  • Monitor with an ICS IDS for unexpected WriteProperty traffic

nmap snippet

nmap -sU -p47808 --script bacnet-info <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 47808?

Port 47808 (0xBAC0) hosts BACnet/IP, the dominant building-automation protocol for HVAC, lighting, access control, and energy management. Devices model themselves as objects with properties; controllers and workstations use services like Who-Is, ReadProperty, and WriteProperty to discover devices and read or change setpoints and outputs. It runs over UDP and uses broadcasts, often bridged across subnets by a BBMD.

Why it matters for security

Classic BACnet/IP has no authentication or encryption. Any host that reaches UDP 47808 can enumerate every device with Who-Is, read the building's configuration, and use WriteProperty to change HVAC setpoints, override outputs, or disable equipment. Because BACnet governs comfort and safety systems in hospitals, data centers, and offices, abuse can cause real physical and operational harm.

How it's attacked

Attackers send Who-Is broadcasts or run the nmap bacnet-info script (UDP) to enumerate device IDs, vendor, and object lists, often finding endpoints exposed on Shodan. They then ReadProperty to map the system and WriteProperty to manipulate setpoints and outputs. Malformed APDUs can also crash controllers for a denial of service.

Hardening checklist

Never expose port 47808 to the internet — keep BACnet on an isolated OT/BAS network behind firewalls, and limit broadcast scope via controlled BBMD configuration. Adopt BACnet/SC (Secure Connect) where devices support it for TLS-based authentication, restrict access to authorized workstations, and deploy an ICS IDS to alert on unexpected WriteProperty traffic. Use the nmap snippet above only on systems you are authorized to test.

Related ports

Port 1911Port 102Port 502Port 161

Frequently asked questions

Does BACnet have authentication?
Classic BACnet/IP has no real authentication or encryption, so any host reaching UDP 47808 can enumerate devices and read or write object properties. BACnet/SC (Secure Connect) adds TLS-based security but is not yet widely deployed.
What can an attacker do over BACnet?
They can discover controllers with Who-Is, read building configuration via ReadProperty, and use WriteProperty to change HVAC setpoints, override outputs, or disrupt comfort and safety systems in a building.