Skip to content
PortsDB

Port reference

Port 623 (UDP) – IPMI / RMCP

IPMI over RMCP — out-of-band management of server baseboard management controllers (BMC).

udpRegisteredCommonly attacked

Default state

Open on server BMCs (iDRAC, iLO, IMM, BMC) for remote power, console, and firmware control, often on a poorly segmented management network.

Common attacks

  • RAKP password-hash retrieval for offline cracking (CVE-2013-4786)
  • Cipher-zero authentication bypass (no password required)
  • Default and weak BMC credentials
  • Full server takeover: power, virtual media, console

CVE-2013-4786

Hardening

  • Isolate BMCs on a dedicated, firewalled management VLAN
  • Never expose UDP 623 to the internet
  • Disable cipher suite 0 and anonymous logins
  • Change default credentials; use long unique passwords
  • Keep BMC firmware patched; restrict by IP allowlist

nmap snippet

nmap -sU -p623 --script ipmi-version,ipmi-cipher-zero,ipmi-brute <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 623?

Port 623 carries IPMI over RMCP, the protocol that talks to a server's Baseboard Management Controller (BMC) — iDRAC, iLO, IMM, and generic BMCs. IPMI provides out-of-band management: remote power control, serial-over-LAN console, virtual media, and hardware health, all working even when the host OS is down. It is the backbone of lights-out datacenter administration.

Why it matters for security

The BMC operates below the operating system with total hardware control, so compromising IPMI means owning the server outright — no OS exploit needed. IPMI 2.0's design has structural weaknesses: the RAKP handshake leaks a password hash to any client that asks (CVE-2013-4786), and cipher suite 0 can disable authentication entirely. Combined with default credentials, these make exposed BMCs trivial to take over.

How it's attacked

Attackers scan UDP 623, request the RAKP hash and crack it offline, or abuse cipher-zero to issue privileged commands with no password at all. Many BMCs still run default or weak credentials. Once in, the attacker uses virtual media and power control to boot attacker media and seize the host.

Hardening checklist

Put BMCs on an isolated management VLAN, firewall UDP 623, and never expose it to the internet. Disable cipher suite 0 and anonymous logins, replace default credentials with long unique passwords, and keep BMC firmware patched. Restrict access by IP allowlist. Use the nmap snippet above to check version, cipher-zero, and credentials on BMCs you are authorized to test.

Related ports

Port 443Port 161Port 22Port 80

Frequently asked questions

Why is IPMI on port 623 so dangerous?
The BMC sits below the OS with full hardware control. A compromised IPMI service lets an attacker power-cycle, mount virtual media, and access the console — owning the server regardless of OS hardening.
What is the IPMI cipher-zero flaw?
Cipher suite 0 disables authentication on the IPMI 2.0 session, so anyone reaching port 623 can issue privileged commands without a valid password. It must be disabled.