CVE-2026-36611

Mercusys AC12G EU V1 with firmware AC12GEUV1200909 returns 128 bytes of uninitialized buffer when receiving POST requests without SOAPAction header on UPnP port 1900, exposing internal memory to unauthenticated adjacent network attackers...

EUVD-2026-34150

Mercusys AC12G EU V1 with firmware AC12GEUV1200909 returns 128 bytes of uninitialized buffer when receiving POST requests without SOAPAction header on UPnP port 1900, exposing internal memory to unauthenticated adjacent network attackers...

CVE-2020-23622

An issue in the UPnP protocol in 4thline cling 2.0.0 through 2.1.2 allows remote attackers to cause a denial of service via an unchecked CALLBACK parameter in the request header...

K17451: UPnP vulnerability VU#361684

Security Advisory Description Home routers implementing the UPnP protocol do not sufficiently randomize UUIDs in UPnP control URLs, or implement other UPnP security measures. VU361684 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Produc...

4thline cling uPnP protocol issue can lead to denial of service

An issue in the UPnP protocol in 4thline cling 2.0.0 through 2.1.2 allows remote attackers to cause a denial of service via an unchecked CALLBACK parameter in the request header. As of 2022, 4thline cling is no longer supported by the maintainers...

GHSA-C438-6F6R-PG8W 4thline cling uPnP protocol issue can lead to denial of service

An issue in the UPnP protocol in 4thline cling 2.0.0 through 2.1.2 allows remote attackers to cause a denial of service via an unchecked CALLBACK parameter in the request header. As of 2022, 4thline cling is no longer supported by the maintainers...

CVE-2020-23622

An issue in the UPnP protocol in 4thline cling 2.0.0 through 2.1.2 allows remote attackers to cause a denial of service via an unchecked CALLBACK parameter in the request header...

CVE-2020-23622

The CVE-2020-23622 entry maps to CVE-2020-12695 in the connected material, affecting 4thline cling UPnP/DLNA (Java/Android) versions 2.0.0–2.1.2. The issue is a Denial of Service caused by an unchecked CALLBACK header parameter in UPnP SUBSCRIBE requests, arising from missing validation in the li...

Universal Plug and Play (UPnP): What You Need to Know

Universal Plug and Play UPnP is a widely used protocol with a decade-long history of flawed implementations across a wide range of consumer devices. In this paper, we will cover how these aws are still present on devices, how these vulnerabilities are actively being abused, and how a...

CVE-2021-35393

Realtek Jungle SDK version v2.x up to v3.4.14B provides a 'WiFi Simple Config' server that implements both UPnP and SSDP protocols. The binary is usually named wscd or miniupnpd and is the successor to miniigd. The server is vulnerable to a stack buffer overflow vulnerability that is present due ...

CVE-2021-35392

Realtek Jungle SDK (Realtek RTL819xD-based devices) exposes a vulnerable WiFi Simple Config server (Go-Ahead/Boa HTTP web server variants) that implements UPnP/SSDP. CVE-2021-35392 describes a heap overflow in handling SSDP NOTIFY messages crafted from M-SEARCH ST headers, affecting Realtek Jungl...

npupnp DNS Rebinding Vulnerability

npupnp is an implementation library for the UPNP protocol. A DNS rebinding vulnerability exists in the embedded web server in versions prior to npupnp 4.1.4. An attacker can exploit this vulnerability to achieve remote code execution...

Security Advisory - CallStranger Vulnerability in UPnP Protocol

There is an vulnerability in UPnP protocol that does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, named CallStranger. The UPnP function of Huawei product is enabled only on the LAN side and ...

CERT/CC Reports Vulnerability in Universal Plug and Play Protocol

The CERT Coordination Center CERT/CC has released information on a vulnerability—CVE-2020-12695—affecting versions of the Universal Plug and Play UPnP protocol released before April 17, 2020. UPnP protocol allows networked devices to discover and connect with each other. A remote attacker could...

Plurox: Modular backdoor

In February this year, a curious backdoor passed across our virtual desk. The analysis showed the malware to have a few quite unpleasant features. It can spread itself over a local network via an exploit, provide access to the attacked network, and install miners and other malicious software on...

Your Smart Coffee Maker is Brewing Up Trouble

ARCHIVED STORY Your Smart Coffee Maker is Brewing Up Trouble By Sam Quinn · Febraury 25, 2019 IOT devices are notoriously insecure and this claim can be backed up with a laundry list of examples. With more devices “needing” to connect to the internet, the possibility of your WiFi enabled toaster...

Attackers Use UPnP to Sidestep DDoS Defenses

Universal Plug and Play networking protocols have never been a friend of security researchers. On Monday, Imperva gave the InfoSec community another reason to dislike UPnP. In a proof-of-concept Distributed Denial of Service DDoS attack, Imperva researchers have devised a way to exploit the UPnP...

New DDoS Attack Method Demands a Fresh Approach to Amplification Assault Mitigation

Amplification attack vectors are some of the most commonly used tools in the DDoS attacker’s arsenal. In the last quarter of 2017, we saw NTP amplification employed in roughly 33 percent of all DDoS assaults against our customers, while DNS and SSDP amplification vectors played a part in 17 perce...

Code Used in Zero Day Huawei Router Attack Made Public

Exploit code used in the Mirai malware variant called Satori, which was used to attack hundreds of thousands of Huawei routers over the past several weeks, is now public. Researchers warn the code will quickly become a commodity and be leveraged in DDoS attacks via botnets such as Reaper or...

Huawei HG532 Router Remote Code Execution(CVE-2017-17215)

A Zero-Day vulnerability CVE-2017-17215 in the Huawei home router HG532 has been discovered by Check Point Researchers, and hundreds of thousands of attempts to exploit it have already been found in the wild. The delivered payload has been identified as OKIRU/SATORI, an updated variant of Mirai...