Tons of vulnerabilities are found on tcp/0 port using vulnerability scanners
How could a IANA reserved port(tcp/0) handle traffic?
It can. Generally, TCP (or UDP) port 0 being in a reserved state doesn't mean it can't be used in practice. Though the way Berkeley sockets are designed it's not that easy to bind on port zero, it's nevertheless possible to use it.
However, it's highly unlikely that this is actually happening in your case. You're just using the Nessus scanner which lists activities not closely related to a specific port under port 0/TCP or 0/UDP (see: "Vulnerabilities by Host"). This is simply an (inconvenient?) convention to display port-less warnings under port 0 -- ironically, to avoid confusion.
Note that those a) are not necessarily vulnerabilities, just warnings or suggestions (e.g. not adhering to the best Microsoft practices while running a scanner); b) are not necessarily false positives. Try to ignore port zero itself, read the report carefully and act accordingly.
How could a IANA reserved port(tcp/0) handle traffic?
While the accepted answer explains how port 0 is still a real port, it may be helpful to understand how ports work in TCP. Below is a 32-bit-wide diagram of the a TCP packet, to scale. UDP is similar, although a lot simpler (after the ports, it has just a length field and a checksum field before the data).
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-------------------------------+-------------------------------+ | Source Port | Destination Port | +-------------------------------+-------------------------------+ | Sequence Number | +---------------------------------------------------------------+ | Acknowledgment Number | +-------+-----------+-+-+-+-+-+-+-------------------------------+ | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-------+-----------+-+-+-+-+-+-+-------------------------------+ | Checksum | Urgent Pointer | +-------------------------------+-------------------------------+ | Options | Padding | +-----------------------------------------------+---------------+ | | / ... Data (optional) ... / | | +---------------------------------------------------------------+
As you can see, the source port and destination port fields are both 16 bits wide. This means it can represent 65536 different possible states, from 0 to 65535. This is incidentally why there are no negative ports, as the value is treated as unsigned. The only thing stopping any of the ports from being all null bytes (representing port 0) is an IANA standard saying not to do that. It is perfectly possible for a packet to be sent out with any of the ports set to 0. The purpose of keeping port 0 reserved is to allow "just give me any port" to be represented by a 16-bit integer. When an attempt is made to bind to TCP/0, rather than listening for packets with the destination port set to all zeros, the system is supposed to bind to any available port.