Connect with us

Hi, what are you looking for?



1.2 Million Networking Devices Vulnerable Due to NAT-PMP Issues

Researchers have found that a large number of networking devices are vulnerable to cyberattacks because of poor implementation or configuration of the Network Address Translation – Port Mapping Protocol (NAT-PMP).

Researchers have found that a large number of networking devices are vulnerable to cyberattacks because of poor implementation or configuration of the Network Address Translation – Port Mapping Protocol (NAT-PMP).

Jon Hart, a security researcher with Rapid7, reported on Tuesday that the security firm identified roughly 1.2 million Internet-connected devices affected by malicious port mapping manipulation and information disclosure vulnerabilities.

NAT-PMP is a UDP protocol deployed on NAT devices that allows users from a public network (i.e., the Internet) to access TCP or UDP services from a private network that’s located behind the NAT device. NAT-PMP is usually found in small office/home office (SOHO) routers and other networking devices.

 NAT-PMP is designed for use on networks where clients are trusted, so there aren’t any security mechanisms built into the protocol. Some implementations, however, do include some restrictions to prevent abuse.

According to Hart, all of the 1.2 million devices identified during Rapid7’s scans appear to disclose information on the NAT-PMP device. Approximately 88% of the devices allow denial-of-service (DoS) attacks against host services, and access to internal NAT client services. Over 1 million of the devices allow interception of external traffic, while around 30,000 allow interception of internal traffic.

The information disclosure issue exposes external IP addresses and ports, but the researcher says they pose relatively little risk. The other issues described by the security firm can be exploited through malicious NAT-PMP port mapping manipulation.

For example, the interception of internal traffic can be used to obtain information on sensitive internal services, such as DNS and HTTP/HTTPS administration. An attacker can also use port mapping to access  services provided by clients behind the NAT device by spoofing NAT-PMP port mapping requests. A malicious actor can cause the device to enter a DoS state by requesting an external port mapping for a UDP or TCP service that is already listening on that port.

Advertisement. Scroll to continue reading.

By leveraging the information disclosure flaw, Rapid7 was able to identify the location of vulnerable devices. Experts found affected devices in Argentina (145,866), the Russian Federation (133,126), China (119,043), Brazil (110,007), India (99,168), Malaysia (89,934), the United States (64,182), Mexico (50,662), Singapore (49,713) and Portugal (18,863).

Researchers believe most of the devices they have identified are vulnerable due to incorrect configurations of MiniUPnP, a lightweight Universal Plug and Play (UPnP) library that is used in a large number of devices.

Rapid7 has attempted to identify the companies whose products are vulnerable, but the task proved challenging. The security firm asked CERT/CC to handle the notification of potentially affected vendors and organizations. While no CVE identifiers have been assigned for the security holes, CERT/CC has cataloged them as VU#184540.

“The vulnerabilities disclosed in this advisory are not theoretical, however how many devices on the public Internet are actually vulnerable to the more severe traffic interception issues is unknown.  Vendors producing products with NAT-PMP capabilities should take care to ensure that flaws like the ones disclosed in this document are not possible in normal and perhaps even abnormal configurations,” Hart explained. “ISPs and entities that act like ISPs should take care to ensure that the access devices provided to customers are similarly free from these flaws.  Lastly, for consumers with NAT-PMP capable devices on your network, your should ensure that all NAT-PMP traffic is prohibited on un-trusted network interfaces.”

After learning of the security issues uncovered by Rapid7, the MiniUPnP Project took some steps to protect users against the attacks described by researchers, Hart said.

Additional details on the NAT-PMP research are available on Rapid7’s blog.


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.