Connect with us

Hi, what are you looking for?



UPnP Security Holes Expose Millions of Networked Devices to Attacks

Researchers at Rapid7 have uncovered that roughly 40-50 million network-enabled devices are at risk due to vulnerabilities in the Universal Plug and Play (UPnP) protocol.

Researchers at Rapid7 have uncovered that roughly 40-50 million network-enabled devices are at risk due to vulnerabilities in the Universal Plug and Play (UPnP) protocol.

Universal Plug and Play (UPnP) is a set of networking protocols that allows communication between computers and network-enabled devices. It is enabled by default on millions of devices, from routers to printers to IP cameras and network storage servers. UPnP support is also enabled by default on Microsoft Windows, Mac OS X and many distributions of Linux.

UPnP Security VulnerabilitiesIn a new whitepaper, Rapid7 declares that the UPnP protocol “suffers from a number of basic security problems” ranging from a lack of authentication implemented by device manufacturers to privileged common programming flaws plague common UPnP software implementations. These issues, the report notes, are endemic across UPnP-enabled applications and network devices.

“This paper is the result of a research project spanning the second half of 2012 that measured the global exposure of UPnP-enabled network devices,” blogged HD Moore, chief security officer at Rapid7, who authored the report. “The results were shocking to the say the least.”

“The two most commonly used UPnP software libraries both contained remotely exploitable vulnerabilities,” he continued. “In the case of the Portable UPnP SDK, over 23 million IPs are vulnerable to remote code execution through a single UDP packet. All told, we were able to identify over 6,900 product versions that were vulnerable through UPnP. This list encompasses over 1,500 vendors and only took into account devices that exposed the UPnP SOAP service to the internet, a serious vulnerability in of itself.”

As part of the analysis, UPnP discovery requests were sent to every routable IPv4 address approximately once a week from June 1 to November 17, 2012. This identified more than 81 million unique IP addresses that responded to a standard UPnP discovery request. Ultimately, it was determined that roughly 17 million of these systems also exposed the UPnP Simple Object Access Protocol (SOAP) service to the world.  

The report also found that more than 73 percent of all UPnP instances discovered through the Simple Service Discovery Protocol (SSDP) were derived from only four software development kits. These include the Portable SDK for UPnP Devices, Broadcom’s MiniUPnP, and another commercial kit the report states could not be tracked to a specific developer. This heavy concentration substantially increases the impact of any vulnerabilities found within these implementations, Moore argues in the report.

In addition, the UPnP instances found to be using the Portable SDK for UPnP Devices and the MiniUPnP library both expose the software library version in the SSDP response, and the company’s analysis of these versions showed that the majority of exposed devices are using UPnP libraries that are more than four years old.  

Advertisement. Scroll to continue reading.

“The vulnerabilities we identified in the Portable UPnP SDK have been fixed as of version 1.6.18 (released today), but it will take a long time before each of the application and device vendors incorporate this patch into their products,” Moore blogged. “In most cases, network equipment that is “no longer shipping” will not be updated at all, exposing these users to remote compromise until UPnP is disabled or the product is swapped for something new. The flaws identified in the MiniUPnP software were fixed over two years ago, yet over 330 products are still using older versions.”

Moore suggested organizations take immediate action to identify and disable any Internet-exposed UPnP endpoints in their environments. The company has released a free tool called ScanNow UPnP to help organizations identify exposed UPnP endpoints on their networks and flag any that are remotely exploitable through recently discovered vulnerabilities. 

“Based on our experience with users updating software on their PCs, which they use frequently and where they are acquainted with the process of updating the software, it is clear that software isn’t updated very frequently,” said Thomas Kristensen, chief security officer at Secunia. “The hurdle of having to find the web interface of a device, which most probably never logged onto and finding the update and going through that whole process is likely to intimidate many users. In short…many of these devices are likely to go unpatched till the day they are trashed.”

In response to Rapid7’s findings, US-CERT issued an advisory on the issue and said that they attempted to notify more than 200 vendors identified by Rapid7 as running libupnp. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.