CVE-2025-48821
(Windows UPnP Device Host Use-After-Free) |
A use-after-free flaw in the UPnP Device Host service (upnphost.dll) allows attackers on adjacent networks to send crafted UPnP discovery packets, leading to memory corruption and privilege escalation. No authentication needed; exploits inherent local network trust. |
High: Privilege escalation (local to SYSTEM), potential RCE on Windows systems. CVSS: 8.1 (AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). |
Patched in July 2025 Microsoft updates (e.g., Windows 10/11, Server 2016+). No public in-the-wild exploits confirmed yet, but similar historical UPnP flaws (e.g., CVE-2019-1405) were abused. Actively scanned for by threat actors. |
Windows 10 (21H2+), Windows 11 (22H2+), Windows Server 2016/2019/2022/2025. |
CVE-2025-25427
(TP-Link WR841N Stored XSS via UPnP) |
Stored cross-site scripting (XSS) in the UPnP page (upnp.htm) allows remote attackers to inject malicious JavaScript via port mapping descriptions. Executes when the admin loads the page, enabling credential theft or session hijacking. |
Medium-High: Admin credential theft, potential RCE via further chaining. CVSS: 8.6. Public PoC available on GitHub. |
Disclosed April 2025; TP-Link advisory issued, but 1.5M+ vulnerable devices exposed online (via ZoomEye scans). Exploit code public; no confirmed mass abuse, but targeted attacks likely. |
TP-Link WR841N routers (firmware ≤4.19). |
CVE-2025-7911
(D-Link DI-8100 Stack Buffer Overflow) |
Stack-based buffer overflow in the sprintf function of /upnp_ctrl.asp (jhttpd component) via manipulated “remove_ext_proto/remove_ext_port” arguments. Allows remote code execution without auth. |
Critical: RCE on exposed routers. CVSS: 9.8. |
Disclosed July 2025; public exploit disclosed. Vendor unresponsive; actively exploitable on unpatched devices. |
D-Link DI-8100 (firmware 1.0). |
CVE-2025-6752
(Linksys Routers UPnP Layer3Forwarding Overflow) |
Stack-based buffer overflow in the UPnP Layer3Forwarding service, enabling remote code injection via crafted packets. |
High: RCE on home routers. CVSS: 7.5+. |
Disclosed June 2025; PoC available. Limited patching; exposed in home networks. |
Linksys routers (various models using vulnerable UPnP stack). |
| Eternal Silence (UPnP NAT Injection Campaign) |
Ongoing campaign abusing UPnP vulnerabilities (e.g., in MiniUPnP and Portable UPnP SDK) to inject malicious port mappings, exposing internal services (e.g., RDP, SMB) for further exploits like ransomware. Affects ~45,000+ devices. |
High: Backdoor creation, lateral movement, DDoS amplification. |
Active since 2022; 2025 scans show 277,000 vulnerable devices (out of 3.5M scanned), with confirmed injections. No specific CVE, but tied to unpatched libs (e.g., MiniUPnP <2.0). |
Routers/appliances using vulnerable UPnP libs (e.g., Netgear, older Cisco). |
| Flash UPnP Attacks |
Malicious SWF files exploit UPnP to force routers to open ports to attacker-controlled servers, bypassing firewalls. Often chained with NAT traversal flaws. |
Medium: Port exposure, data exfiltration. |
Persistently active in 2025 phishing kits; no CVE, but documented in threat reports. Affects browsers with Flash legacy support. |
Any UPnP-enabled router with internet-facing services. |
| Pinkslipbot/Qakbot Malware (UPnP Abuse) |
Banking Trojan exploits UPnP for port forwarding to hide C2 communications and proxy traffic. Infected devices become part of botnets. |
High: Persistent infection, proxying for DDoS/ransomware. |
Active in 2025 campaigns; FBI warnings renewed. Exploits unpatched routers for initial spread. |
Windows/IoT devices with UPnP; tied to older CVEs like CVE-2014-8361 (Realtek SDK). |
