Port 2702: SMS XFER — Microsoft's Remote Control Port

What Port 2702 Is

Port 2702 sits in the registered ports range (1024–49151). These are ports that organizations and vendors can formally register with IANA for specific applications. Registration doesn't mean the port is universally active — it means a vendor claimed it for a purpose.

Port 2702's registered name is sms-xfer. The "SMS" is not Short Message Service. It stands for Systems Management Server, Microsoft's enterprise IT management product from the late 1990s and early 2000s, which was later rebranded as System Center Configuration Manager (SCCM) and eventually Microsoft Endpoint Configuration Manager.

What Ran Here

Microsoft SMS included a Remote Tools component that allowed IT administrators to remotely view and control employee workstations. That remote control functionality used two ports:

• TCP 2701 — the primary remote control channel
• TCP 2702 — the secondary transfer channel

When an administrator connected to a managed machine's desktop, traffic flowed over these ports. In corporate environments of the early 2000s, this was the standard way IT departments took over machines to fix problems without walking the floor.

The Vulnerability

Port 2702 is better remembered for a security flaw than its intended purpose.

In 2004, Microsoft disclosed CVE-2004-0728: the Remote Control Client service in SMS 2.50.2726.0 would crash when it received a malformed packet on TCP port 2702. The service attempted to read or write to an invalid memory address, causing a denial of service. An unauthenticated remote attacker could crash the SMS remote control agent with a single specially crafted packet.¹

Microsoft addressed this in Security Bulletin MS04-042.²

The port has also appeared in databases linking it to the Black Diver trojan, though this is an old association from the same era and not a current concern on patched systems.

Who Still Uses It

SMS/SCCM has evolved significantly. Modern versions of Microsoft Endpoint Configuration Manager use different ports for most functions. Port 2702 is largely a historical artifact.

If you see unexpected traffic on port 2702 today, it warrants investigation. The most likely explanations are a legacy SCCM remote tools configuration, a misconfigured or old management agent, or unauthorized software.

How to Check What's Listening

On Linux or macOS:

ss -tlnp | grep 2702
# or
lsof -i :2702

On Windows:

netstat -ano | findstr :2702

The PID in the output can be matched to a process in Task Manager or with:

tasklist /fi "pid eq <PID>"

Why Unassigned and Legacy Ports Matter

The registered port range contains thousands of entries, many of them for software that no longer ships or has moved on. Port 2702 illustrates why port inventories matter: a port associated with a 20-year-old vulnerability and a long-deprecated service can still be open on machines running old agent software.

Port scanners flag it. Firewalls sometimes need rules for it. And administrators occasionally have to explain why an old Microsoft service is still listening.

Most registered ports are quiet most of the time. But any port with open ears is a potential attack surface, which is why "what's listening on my machine" is always a worthwhile question.