Port 789 carries the Red Lion Crimson protocol—a proprietary industrial control protocol used to program and configure HMI (Human-Machine Interface) touchscreens that control real-world factory equipment.
What Runs on Port 789
Red Lion Controls manufactures HMI operator panels—the touchscreens you see on factory floors that let workers monitor and control production lines, pumps, conveyor belts, and industrial processes. Their G3, Graphite, and CR series devices use port 789 for programming and firmware updates.1
When an engineer needs to upload a new configuration or update firmware on these devices, they connect using Crimson 2.0 or Crimson 3.0 software, which communicates over TCP port 789.2
This isn't a protocol for viewing data. This is the protocol for changing how the machine behaves.
How the Crimson Protocol Works
The Crimson v3 protocol operates over TCP port 789 and handles:
- Uploading and downloading project files
- Firmware updates
- Configuration changes
- Real-time device programming
The protocol is binary and proprietary. Researchers have created Wireshark dissectors and NMAP scripts to analyze and detect it.3
The Security Problem
Here's what makes security researchers lose sleep: the Crimson protocol has no encryption and no access controls.4
Every password travels in plain text. Every configuration file can be captured and analyzed by anyone who can see the traffic. The device can be programmed through port 789 if the feature is enabled, and while it's not open by default, many devices are misconfigured.
Internet scans regularly find Red Lion HMI devices exposed on port 789, accessible from the public Internet.5 These are devices controlling real industrial processes—water treatment, manufacturing, power systems—with a programming interface that has no authentication.
Crimson 3.0 has known vulnerabilities. Version 3.1 (release 3112.00) addresses some issues, but the fundamental protocol design remains unchanged.4
Why This Port Matters
Port 789 sits at the intersection of IT security and operational technology (OT). These HMI devices aren't web servers or database clusters. They're the control panels for physical systems. A compromised HMI can mean altered production parameters, disabled safety systems, or manipulated process controls.
The devices themselves are often reliable and well-built for their industrial environment. The protocol they use for programming was designed in an era when industrial networks were assumed to be isolated and trusted. That assumption no longer holds.
Checking for Port 789
To see if something is listening on port 789:
Linux/Mac:
Windows:
To scan for Crimson devices on your network:
If you find port 789 open on an Internet-facing device, that's a critical security issue.
Related Ports
Port 789 is part of the larger industrial control ecosystem:
- Port 502 — Modbus TCP (commonly used with HMI devices)
- Port 44818 — EtherNet/IP (another industrial protocol)
- Port 20000 — DNP3 (SCADA protocol)
- Port 102 — Siemens S7 (PLC programming)
Protecting Port 789
If you manage Red Lion HMI devices:
- Never expose port 789 to the Internet — Use firewalls to restrict access to trusted networks only
- Use VPNs for remote access — Don't rely on the protocol's nonexistent security
- Update to Crimson 3.1+ — Earlier versions have known vulnerabilities
- Disable the programming port when not in use — It's not enabled by default; keep it that way unless actively programming
- Monitor for unauthorized connections — Port 789 traffic should only occur during intentional programming sessions
The Honest Assessment
Port 789 is a well-known port carrying a protocol designed for a different era. The Crimson protocol works reliably for its intended purpose—programming industrial HMIs—but it assumes the network is trusted and isolated.
That assumption is dangerous in 2026. Industrial networks connect to corporate networks, which connect to the Internet. Devices that were never meant to be reachable from outside the factory floor are now one misconfigured firewall away from global exposure.
The protocol can't be fixed without breaking compatibility with millions of deployed devices. The solution isn't to redesign Crimson—it's to ensure port 789 never speaks to anyone it shouldn't.
Bu sayfa faydalı oldu mu?