Security News > 2020 > June > CallStranger: UPnP Flaw Affecting Billions of Devices Allows Data Exfiltration, DDoS Attacks
A newly disclosed UPnP vulnerability that affects billions of devices can be exploited for various types of malicious activities, including distributed denial-of-service attacks and data exfiltration.
Designed to facilitate the automatic discovery and interaction with devices on a network, the UPnP protocol is meant for use within trusted local area networks, as it lacks any form of authentication or verification.
"Although offering UPnP services on the Internet is generally considered to be a misconfiguration, a number of devices are still available over the Internet according to a recent Shodan scan," CERT/CC notes.
" is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet facing and billions of LAN devices," Çadırcı explained.
"Home users are not expected to be targeted directly. If their internet facing devices have UPnP endpoints, their devices may be used for DDoS source. Ask your ISP if your router has Internet facing UPnP with CallStranger vulnerability - there are millions of consumer devices exposed to Internet. Don't port forward to UPnP endpoints," Çadırcı says.