Skip to content
PortsDB

Port reference

Port 7547 (TCP) – TR-069 / CWMP

CWMP endpoint ISPs use to remotely provision and manage customer routers and CPE devices over the WAN.

tcpRegisteredCommonly attacked

Default state

Open on ISP-supplied routers/CPE so the provider's ACS can push config. Often reachable from the WAN side, making it a prime mass-exploitation target.

Common attacks

  • Mass router takeover via the Mirai/Annie worm exploiting CWMP flaws
  • Remote code execution through unauthenticated SOAP/RPC handling
  • Hijacking provisioning to push malicious firmware or DNS settings
  • Internet-wide scanning for vulnerable CPE to build botnets

Hardening

  • Never expose 7547 to the public WAN; restrict to the ACS source IPs only
  • Patch CPE firmware promptly and disable CWMP if unused
  • Require authenticated, TLS-protected ACS connections
  • Filter inbound 7547 at the ISP edge and on the device
  • Monitor for unexpected provisioning requests and config changes

nmap snippet

nmap -p7547 --script http-title,banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 7547?

Port 7547 is the standard endpoint for TR-069 / CWMP (CPE WAN Management Protocol). Internet service providers use it so their auto-configuration server (ACS) can remotely provision, update, and troubleshoot customer routers and CPE over the WAN. The device runs a small SOAP/HTTP service that accepts management RPCs from the provider.

Why it matters for security

Because 7547 is frequently reachable from the public internet, it is a high-value, internet-wide attack surface. A vulnerable CWMP implementation lets an attacker push malicious firmware, DNS, or config, or run code directly on the router — and home routers rarely get patched, so flaws persist for years across millions of identical devices.

How it's attacked

The infamous Mirai/Annie worm spread by exploiting CWMP RPC flaws on exposed routers, achieving unauthenticated remote code execution and enrolling devices into botnets at massive scale. Attackers scan the entire internet for open 7547, fingerprint vulnerable firmware, and hijack provisioning to redirect DNS or install persistent malware.

Hardening checklist

Never expose 7547 to the public WAN — restrict inbound access to the ISP's ACS source IPs only, and filter the port at both the ISP edge and the device. Patch CPE firmware promptly and disable CWMP if it is not used. Require authenticated, TLS-protected ACS sessions and monitor for unexpected provisioning requests or config changes. Use the nmap snippet to check exposure on devices you are authorized to test. </content> </invoke>

Related ports

Port 80Port 443Port 8080Port 53

Frequently asked questions

What is port 7547 used for?
It runs TR-069 (CWMP), the protocol ISPs use to remotely configure and manage home routers and CPE via an auto-configuration server (ACS). It is typically reachable from the WAN.
Why is port 7547 dangerous?
CWMP flaws on exposed routers enabled worms like Mirai/Annie to take over millions of devices. If 7547 is open to the internet and the firmware is vulnerable, remote code execution and botnet enrollment are possible.