Skip to content
PortsDB

Port reference

Port 69 (UDP) – TFTP

Trivial File Transfer Protocol — minimal, unauthenticated UDP file transfer.

udpWell-knownCommonly attacked

Default state

Open only where a TFTP server is deliberately enabled — PXE boot, network device backups, IP phone provisioning. Should never face the internet.

Common attacks

  • Unauthenticated download of device configs and firmware
  • Arbitrary file read/write via path traversal (../)
  • Overwriting boot/config files to plant backdoors
  • Buffer-overflow RCE in older TFTP daemons

Hardening

  • Disable TFTP unless strictly required; prefer SFTP/SCP
  • Bind to an isolated management VLAN, never the internet
  • Restrict access by IP allowlist and a firewall on UDP 69
  • Chroot the server and make the file root read-only where possible
  • Patch the daemon; old TFTP servers carry overflow CVEs

nmap snippet

nmap -sU -p69 --script tftp-enum <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 69?

Port 69 hosts TFTP (Trivial File Transfer Protocol), a deliberately minimal UDP file-transfer protocol. It has no login, no directory listing, and no encryption — just RRQ/WRQ read and write requests. Its simplicity makes it the default choice for PXE network boot, backing up and restoring network device configurations and firmware, and provisioning IP phones on internal networks.

Why it matters for security

The absence of authentication is the whole problem: anyone who can reach UDP 69 can request whatever files the server is willing to serve. On network gear that often means downloading running configs — complete with credentials, SNMP communities, and VPN secrets — or uploading a tampered config or firmware image. A TFTP server exposed beyond its intended management segment is effectively an open file share.

How it's attacked

Attackers query for well-known filenames to steal device configs and firmware, and abuse path traversal (../) on weak servers to read or write files outside the intended root. Write access lets them overwrite boot or config files to plant persistence. Several legacy TFTP daemons also carry buffer-overflow bugs that yield remote code execution from a single crafted packet.

Hardening checklist

Disable TFTP entirely unless a workflow strictly needs it, and prefer SFTP or SCP instead. Where TFTP is required, bind it to an isolated management VLAN, restrict it with an IP allowlist and a firewall on UDP 69, chroot the server, and make the file root read-only where possible. Keep the daemon patched. The nmap snippet above enumerates files a TFTP server exposes on a host you are authorized to test.

Related ports

Port 67Port 21Port 22Port 873

Frequently asked questions

Is TFTP secure?
No. TFTP has no authentication and no encryption, so anyone who can reach UDP 69 may read or write files the server exposes. Use it only on isolated, firewalled networks.
What is TFTP used for?
It is used for lightweight transfers like PXE network boot, loading router/switch configs and firmware, and provisioning IP phones — tasks that need simplicity over security.