Security Experts:

Connect with us

Hi, what are you looking for?



CallStranger: UPnP Flaw Affecting Billions of Devices Allows Data Exfiltration, DDoS Attacks

A newly disclosed UPnP vulnerability that affects billions of devices can be exploited for various types of malicious activities, including distributed denial-of-service (DDoS) attacks and data exfiltration.

A newly disclosed UPnP vulnerability that affects billions of devices can be exploited for various types of malicious activities, including distributed denial-of-service (DDoS) attacks and data exfiltration.

Designed to facilitate the automatic discovery and interaction with devices on a network, the UPnP protocol is meant for use within trusted local area networks (LANs), as it lacks any form of authentication or verification.

Many commonly used Internet-connected devices include support for UPnP, but the Device Protection service, which adds security features to UPnP, has not been widely adopted.

In an alert published on Monday, the CERT Coordination Center (CERT/CC) warns of a vulnerability that impacts the protocol in effect prior to April 17, when the Open Connectivity Foundation (OCF) updated the UPnP protocol specification. The flaw could allow attackers to send “large amounts of data to arbitrary destinations accessible over the Internet.”

The vulnerability, which is tracked as CVE-2020-12695 and is referred to as CallStranger, could be abused by remote, unauthenticated attackers to carry out DDoS assaults, bypass security systems and exfiltrate data, and scan internal ports.

“Although offering UPnP services on the Internet is generally considered to be a misconfiguration, a number of devices are still available over the Internet according to a recent Shodan scan,” CERT/CC notes.

The vulnerability, discovered by Yunus Çadırcı of EY Turkey, impacts Windows PCs, gaming consoles, TVs and routers from Asus, Belkin, Broadcom, Cisco, Dell, D-Link, Huawei, Netgear, Samsung, TP-Link, ZTE, and possibly many others.

“[The vulnerability] is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet facing and billions of LAN devices,” Çadırcı explained.

To stay protected, vendors are advised to implement the updated specifications provided by the OCF. Users should keep an eye on vendor support channels for updates implementing the new SUBSCRIBE specification.

Device manufacturers should disable the UPnP SUBSCRIBE capability in default configurations, and ensure that explicit user consent is required to enable SUBSCRIBE with any appropriate network restrictions. Disabling the UPnP protocol on Internet-accessible interfaces is also advised.

“Home users are not expected to be targeted directly. If their internet facing devices have UPnP endpoints, their devices may be used for DDoS source. Ask your ISP if your router has Internet facing UPnP with CallStranger vulnerability — there are millions of consumer devices exposed to Internet. Don’t port forward to UPnP endpoints,” Çadırcı says.

The security researcher also points out that botnets might soon start implementing the technique, by consuming end-user devices. Enterprises might have blocked Internet-exposed UPnP devices, but intranet-to-intranet port scanning is expected to become an issue.

Related: Researchers Use UPnP Protocol to Unmask IPv6 Address

Related: IP-in-IP Vulnerability Affects Devices From Cisco and Others

Related: Microsoft Office for Mac Users Exposed to Macro-Based Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.