Skip to content
PortsDB

Port reference

Port 554 (TCP) – RTSP (Real Time Streaming Protocol)

Real Time Streaming Protocol controlling delivery of audio/video streams from cameras and media servers.

tcpWell-knownCommonly attacked

Default state

Open on IP cameras, NVRs, and media servers; frequently exposed to the internet with weak or default credentials.

Common attacks

  • Accessing live camera feeds with no or default authentication
  • Stream URL/path brute forcing to find unprotected feeds
  • Credential brute force against camera and NVR accounts
  • Mass scanning and indexing of exposed RTSP streams

Hardening

  • Require authentication and change all default camera credentials
  • Never expose RTSP to the internet; place cameras on an isolated VLAN
  • Access feeds through a VPN or secured gateway instead of port 554
  • Patch camera/NVR firmware and disable unused ONVIF/RTSP endpoints

nmap snippet

nmap -p554 --script rtsp-methods,rtsp-url-brute <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 554?

Port 554 is the default for RTSP, the Real Time Streaming Protocol, which controls the setup and playback of audio/video streams. It is the dominant protocol for IP cameras, NVRs, and media servers, commonly paired with ONVIF for device discovery. RTSP handles the control channel (PLAY, PAUSE, DESCRIBE); the media itself typically flows over RTP.

Why it matters for security

RTSP's security problem is deployment, not just the protocol: vast numbers of IP cameras ship with default or no credentials and get plugged straight into the internet. That turns port 554 into a live window an attacker can open without breaking anything. Beyond privacy loss, an exposed camera is a foothold into the network, and weak firmware adds exploitable vulnerabilities on top.

How it's attacked

Attackers scan for open RTSP and try to DESCRIBE/PLAY streams that require no auth, instantly viewing live video. They brute-force stream URLs and paths (vendor-specific endpoints) to find feeds, and brute-force credentials on cameras and NVRs. Search engines and botnets continuously index exposed RTSP, so an internet-facing camera is found within hours.

Hardening checklist

Require authentication and change every default credential on cameras and NVRs. Never expose RTSP to the internet — place devices on an isolated VLAN and reach feeds through a VPN or secured gateway instead of opening port 554. Patch firmware and disable unused ONVIF/RTSP endpoints. The nmap snippet above enumerates supported methods and probes stream URLs on devices you are authorized to test.

Related ports

Port 80Port 8554Port 1935Port 443

Frequently asked questions

What uses RTSP on port 554?
RTSP controls audio/video streaming and is the standard for IP cameras, NVRs, and many media servers, often alongside ONVIF. It sets up and tears down the stream, which then flows over RTP.
Why are RTSP cameras a security risk?
Huge numbers of IP cameras expose RTSP to the internet with default or no credentials. Attackers and search engines index these open feeds, exposing live video to anyone who finds the URL.