Skip to content
PortsDB

Port reference

Port 631 (TCP/UDP) – IPP / CUPS

Internet Printing Protocol — the modern HTTP-based printing protocol, served by CUPS on Linux/macOS and by network printers.

tcpudpWell-knownCommonly attacked

Default state

Open on Linux/macOS hosts running CUPS and on most modern network printers/MFPs. The web admin interface listens here too.

Common attacks

  • CUPS unauthenticated RCE chain (CVE-2024-47176 + related, via cups-browsed)
  • Printer and queue enumeration over IPP
  • Exposed/unauthenticated CUPS web admin interface
  • Print job interception and malicious printer attribute injection

CVE-2024-47176CVE-2024-47076CVE-2024-47175CVE-2024-47177

Hardening

  • Disable or firewall cups-browsed; block UDP/631 from untrusted networks
  • Bind CUPS to localhost/internal interfaces; require auth on the admin UI
  • Patch CUPS and printer firmware (2024 RCE chain)
  • Use IPP over TLS (ipps) and disable unused printing protocols
  • Never expose 631 to the internet; segment printers into a VLAN

nmap snippet

nmap -p631 --script http-title,http-cups-info,cups-info,cups-queue-info <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 631?

Port 631 is the registered port for the Internet Printing Protocol (IPP), a modern HTTP-based printing protocol. On Linux and macOS it is served by CUPS (Common Unix Printing System), which also exposes a web administration interface on the same port. Most current network printers and MFPs speak IPP on 631 as well. UDP/631 is used by cups-browsed for printer discovery.

Why it matters for security

Because IPP runs over HTTP and CUPS bundles a web admin UI, port 631 is both a printing endpoint and a small web application — anything misconfigured there is network-reachable. In 2024 a serious unauthenticated RCE chain was disclosed in the CUPS stack, and exposed admin interfaces and discoverable queues make printers an easy enumeration and pivot target.

How it's attacked

The 2024 CUPS RCE chain (CVE-2024-47176 in cups-browsed, plus CVE-2024-47076, CVE-2024-47175, CVE-2024-47177) lets a remote attacker send a crafted UDP packet to cups-browsed, add a malicious printer, and execute commands when a job prints. Attackers also enumerate printers and queues, abuse exposed admin interfaces, and inject malicious printer attributes or intercept jobs.

Hardening checklist

Disable or firewall cups-browsed and block UDP/631 from untrusted networks. Bind CUPS to localhost or internal interfaces and require authentication on the admin UI. Patch CUPS and printer firmware for the 2024 chain. Prefer IPP over TLS (ipps), disable unused printing protocols, and put printers in a dedicated VLAN — never expose 631 to the internet. The nmap scripts above enumerate CUPS info and queues on hosts you are authorized to test.

Related ports

Port 515Port 9100Port 80Port 443

Frequently asked questions

Is port 631 dangerous after the 2024 CUPS vulnerabilities?
Yes if exposed. The 2024 chain (CVE-2024-47176 and friends) lets a remote attacker reach cups-browsed on UDP/631 and ultimately run commands when a print job starts. Patch CUPS, disable cups-browsed, and block 631 externally.
What is the difference between IPP and CUPS on 631?
IPP is the printing protocol; CUPS is the common server (on Linux/macOS) that speaks IPP and also serves a web admin interface on port 631.