Port 3465: edm-mgr-cntrl — The Execution Daemon

Port 3465 is assigned by IANA to edm-mgr-cntrl — the Enterprise Desktop Manager (EDM) Manager Control service, created by Novadigm, Inc. in the 1990s.¹

Most people have never heard of Novadigm. But if you worked in corporate IT between 1995 and 2015, you almost certainly used their software — or its descendants — to push patches, deploy applications, and manage thousands of machines without touching any of them.

What Ran on This Port

Novadigm launched Enterprise Desktop Manager in 1992, one of the earliest tools for managing software across large fleets of PCs. The core idea was simple: instead of sending IT staff to every machine, you push software and execute management tasks remotely.²

Port 3465 served the manager control function — the channel through which the server communicated with its agents on managed machines. Each agent ran a service called radexecd.exe: the Radia Execution Daemon. Its job was to receive commands from the server and execute them locally.

Novadigm was acquired by HP, and the product passed through several identities: HP OpenView Configuration Management, HP Client Automation Software, and eventually Radia Client Automation under Persistent Systems after HP divested the product line.³

The CVE That Named the Daemon

In February 2015, researcher Ben Turner published CVE-2015-1497.⁴

The finding was blunt: radexecd.exe accepted remote command execution requests with no authentication.

Anyone who could reach TCP port 3465 on a machine running Radia Client Automation 7.9, 8.1, 9.0, or 9.1 could execute arbitrary commands on that machine — as the service account, which was often SYSTEM. No credentials. No token. No handshake. Send the right request, get command execution.

The software was designed to trust its manager implicitly. The flaw was that it trusted everyone, unconditionally.

A Metasploit module followed within two weeks.⁵ Any enterprise still running Radia agents with port 3465 exposed suddenly had every managed machine owned by anyone on the network.

Who Still Has This Port Open

Radia Client Automation is legacy software. Most deployments have migrated to modern endpoint management platforms (Microsoft Intune, Jamf, SCCM). But old enterprise software dies slowly, and "legacy" in corporate environments can mean "still running on 400 machines."

If you see port 3465 open on a machine today, it is almost certainly an old Radia agent. Patch it or retire it.

How to Check What's Listening

On Linux or macOS:

sudo ss -tlnp | grep 3465
# or
sudo lsof -i :3465

On Windows:

netstat -ano | findstr :3465
tasklist | findstr <PID>

If you find something listening, look up the process name. radexecd.exe is the telling one. On a modern machine with no legacy management software, nothing should be on 3465.

Port Range

Port 3465 sits in the registered ports range (1024–49151). These are ports IANA assigns to specific services upon request — they're not reserved like the well-known ports below 1024, but they have a claimed owner. Port 3465 was registered to Tom Hennessy at Novadigm.¹

Registered ports don't require elevated privileges to bind, which means any process can listen on 3465. IANA assignment signals intent, not enforcement.