ISP Virgin Media UK Restricting Port 7547 After Leaving it Open

Nothing to worry about, move along please. Cable broadband ISP Virgin Media has "taken steps to ensure [port 7547] is no longer discoverable" online after they left it open on some routers. The good news is that this "posed no security risk" to customers, but it remains unclear why it occurred.

For the uninitiated, port 7547 is commonly used by the TR-069 remote management service, which is what enables ISPs to access, manage and update your broadband router (e.g. this is necessary for use as part of customer support tasks). Most ISPs with their own bundled router will make some use of this and a few still leave the port open to the internet (this is rarely a concern as only your ISP will be able to use the service). However, in the past there have been cases where leaving port 7547 open has caused problems.

For example, back in 2016 a number of ISPs and router brands, including those used by TalkTalk, KCOM and the Post Office, were hit by malware that exploited weaknesses in TR-069 (here). Since then ISPs often prefer to air on the side of caution by restricting access to port 7547 (e.g. limiting access to only a specific range of IP addresses).

The impact of the aforementioned restriction is that for normal internet users the port will appear as closed when scanned, unless you happen to be using the specific IP range. We had assumed that Virgin Media were doing this too, although recently a number of Virgin Media's routers (e.g.

HUB 3.0) have started showing up on Shodan (a search engine for all internet connected devices) as having TCP port 7547 open. For example, on the 21st October 2020 the total results that Shodan tracked were around 235,000 Virgin Media IPs with port 7547 open, which then increased to 412,000 on 22nd and 787,000 on 24th. By Friday 30th October this had jumped to 1.7 million.

We must stress that there is currently no known security exploit that could abuse VM's routers through this, but it was a little odd and so we raised it with the ISP.

A Spokesperson for Virgin Media said: "We opened port 7547 for remote management using TR-069 and this was discoverable to internet users searching for it. This posed no security risk to our customers.

We have taken steps to ensure the port is no longer discoverable to provide an additional layer of security over and above the measures we already have in place."

Credits to Virgin Media for acting on that so quickly, even if there wasn't a known risk at the time - good network security often benefits from being a little bit paranoid. But at the last check on Friday the port was still discoverable via Shodan and the open IPs count continues to increase (some changes may not show up instantly).

Leave a Comment2 ResponsesJavascript must be enabled to post (most browsers do this automatically)
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake).

This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session. NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.

You may also like...