Security News > 2020 > June > CallStranger: UPnP Flaw Affecting Billions of Devices Allows Data Exfiltration, DDoS Attacks
A newly disclosed UPnP vulnerability that affects billions of devices can be exploited for various types of malicious activities, including distributed denial-of-service attacks and data exfiltration.
Designed to facilitate the automatic discovery and interaction with devices on a network, the UPnP protocol is meant for use within trusted local area networks, as it lacks any form of authentication or verification.
"Although offering UPnP services on the Internet is generally considered to be a misconfiguration, a number of devices are still available over the Internet according to a recent Shodan scan," CERT/CC notes.
" is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet facing and billions of LAN devices," Çadırcı explained.
"Home users are not expected to be targeted directly. If their internet facing devices have UPnP endpoints, their devices may be used for DDoS source. Ask your ISP if your router has Internet facing UPnP with CallStranger vulnerability - there are millions of consumer devices exposed to Internet. Don't port forward to UPnP endpoints," Çadırcı says.
News URL
Related news
- Cloudflare mitigates record number of DDoS attacks in 2025 (source)
- DDoS attacks jump 358% compared to last year (source)
- Pro-Russia hacktivists bombard Dutch public orgs with DDoS attacks (source)
- Europol Shuts Down Six DDoS-for-Hire Services Used in Global Attacks (source)
- New HTTPBot Botnet Launches 200+ Precision DDoS Attacks on Gaming and Tech Sectors (source)