Skip to content
ProtocolPorts

Port reference

Port 4840 (TCP) – OPC UA

OPC Unified Architecture — secure, platform-independent industrial data exchange between servers, clients, and PLCs.

tcpRegisteredCommonly attacked

Default state

Open on OPC UA servers in PLCs, gateways, and SCADA, frequently configured with SecurityMode None and anonymous access.

Common attacks

  • Anonymous/None-security connections reading and writing process data
  • Endpoint and namespace enumeration via GetEndpoints / opcua-info
  • Exploitation of stack/server CVEs and certificate validation flaws
  • Browsing the address space to map the controlled process

Hardening

  • Never expose port 4840 to the internet — keep OPC UA on an OT segment
  • Enforce SecurityMode SignAndEncrypt with trusted application certificates
  • Disable anonymous access; require user authentication and least privilege
  • Patch the OPC UA stack/server and monitor with an ICS IDS

nmap snippet

nmap -p4840 --script opcua-info <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 4840?

Port 4840 hosts OPC UA (Unified Architecture), the modern, platform-independent standard for industrial data exchange. Clients connect to a server's endpoint to browse the address space, read and write nodes, subscribe to data changes, and call methods. It runs in PLCs, gateways, historians, and SCADA, and unlike legacy protocols it was designed with built-in security.

Why it matters for security

OPC UA supports SecurityMode SignAndEncrypt, application certificates, and user authentication — but these are only as good as the deployment. In practice many servers run with SecurityMode None and anonymous access, so any client that reaches port 4840 can browse and write the full process model. Add stack CVEs and lax certificate validation, and a powerful secure protocol becomes an open door into the OT environment.

How it's attacked

Attackers enumerate endpoints with GetEndpoints or the nmap opcua-info script, revealing security policies and whether None/anonymous is allowed. If it is, they browse the namespace to map the process and write nodes to influence it. Otherwise they probe for stack/server CVEs and certificate-handling flaws.

Hardening checklist

Never expose port 4840 to the internet — keep OPC UA on an isolated OT segment behind firewalls. Enforce SecurityMode SignAndEncrypt with trusted application certificates, disable anonymous access, and require user authentication with least privilege. Patch the OPC UA stack and server, and add an ICS IDS. Use the nmap snippet above only on systems you are authorized to assess.

Related ports

Port 102Port 502Port 44818Port 2404

Frequently asked questions

Is OPC UA secure by default?
OPC UA can be very secure with SignAndEncrypt and certificate-based authentication, but it is frequently deployed with SecurityMode None and anonymous access, which removes all protection. Security depends entirely on configuration.
What is the difference between OPC UA and Modbus?
Modbus has no security at all, while OPC UA was designed with signing, encryption, and authentication. The risk with OPC UA is misconfiguration — falling back to None/anonymous makes it nearly as exposed as Modbus.