Test your router to see if its vulnerable to the UPnP Exploit.

By +Warwagon
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted

As of recently it has been discovered that most routers expose UPnP to the outside world, which is not good at all. This allows attackers "from the internet" to open ports in your routers.

It is recommended you DISABLE UPnP in your router. Below is a test to see if your router is vulnerable. Steve Gibson, the creator of the very popular "Shields-up" which scans your IP for open ports in your router has recently added a test for the upnp vulnerability. Simply click the link then click the "proceed" button. You will then see a button for the UPnP test. Good luck!

The Test

https://www.grc.com/x/ne.dll?bh0bkyd2

  • Teebor, The Evil Overlord, MillionVoltss and 1 other
  • Like 4
Experienced

pes2013

Posted
Posted

It is recommended you DISABLE UPnP in your router.

No; It is recommened that you get a good router. I have UPnP on my router enabled and

THE EQUIPMENT AT THE TARGET IP ADDRESS

DID NOT RESPOND TO OUR UPnP PROBES!

So either I have a good router or the test sucks.

Mentor

ajua

Posted
Posted

It's only recommended to disable UPnP on your routers if they don't pass that test, which means they are exposing you to the outer world.

Just passed the test on three touters with UPnP enabled. Two of them are running DD-WRT.

post-203976-0-34939600-1359915937.png

Grand Master

trek

Posted
Posted

THE EQUIPMENT AT THE TARGET IP ADDRESS

DID NOT RESPOND TO OUR UPnP PROBES!

Why would you disable uPnP anyways? It allows internal hosts to dynamically open ports like XBL or PSN for gaming and voice. Without it you'd have to manually open every single port those services and similar ones use. Just keep your internal hosts clean.

Grand Master

LUTZIFER

Posted
Posted

THE EQUIPMENT AT THE TARGET IP ADDRESS

DID NOT RESPOND TO OUR UPnP PROBES!

Why would you disable uPnP anyways? It allows internal hosts to dynamically open ports like XBL or PSN for gaming and voice. Without it you'd have to manually open every single port those services and similar ones use. Just keep your internal hosts clean.

Yeah I agree with keeping uPnP enabled also.

I ran many different servers over the years, long time ago now, so I had many ports opened for access, and that site's port tests always showed me as being safe and secure.

All depends on what type of security you're running on your computers.

Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted

There should be no issue with running UPnP/NAT-PMP on your router if it's properly configured, I knew mine would pass this test from the start since it exposes it's configuration in a good manner (It only allows hosts on the 192.168/16 subnet to create a forwarding rule, and said rule has to point at the host that requested it, otherwise it's rejected), and shows what ports are forwarded on what protocol.

Never mind the fact that the firewall should reject outside communication before it even gets to the UPnP/NAT-PMP daemon anyway, if it isn't being blocked you have bigger issues.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

"Without it you'd have to manually open every single port those services and similar ones use."

So -- your talking a handful of ports at most.. UPnP is to allow unsolicted inbound traffic to get through your nat router. Traffic initiated by you, or in answer to your traffic is allowed.

Most people have no use of UPnP, it has been a nightmare since it was created -- who in their right mind thought, hey lets allow ports to be opened on your gateway/firewall without any sort of auth at all!!

And no UPnP should not be reachable via your public IP that is for damn sure.

Grand Master

spaceelf

Posted
Posted

I disable it anyway. The fact that UPnP, by design, lets any application communicate with the router and open ports should make any security conscious user uneasy.

If you trust what's in your network and have the routers firewall up I don't see how it could.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

^ the point is UPnP can remove your firewall settings. Without even a nod to you that its doing so, nor any sort of auth method to allow it.

There really needs to be some form of notification and auth to the mechanism - and then sure it would be a valid tool in opening firewall ports for the masses.

Grand Master

xendrome

Posted
Posted

THE EQUIPMENT AT THE TARGET IP ADDRESS

DID NOT RESPOND TO OUR UPnP PROBES!

Why would you disable uPnP anyways? It allows internal hosts to dynamically open ports like XBL or PSN for gaming and voice. Without it you'd have to manually open every single port those services and similar ones use. Just keep your internal hosts clean.

It would allow any malicious program to actively contact your router, open whatever ports it wants, and then transmit data through those ports all without your knowledge.... pretty big security hole if you ask me.

Steve Gibson, the person who creates the most FUD on the internet with his crazy rants and observations!!!

I'm not going to argue that the fact that he is crazy, which he probably is, but he is also very smart. And Facts do not = FUD.

Are you up to date on this UPnP issue? The typical way UPnP works is, an active program on one of the systems on your network will contact the router and open ports for whatever program/service to pass data through. Sounds ok right, well there is an exploit on a TON of routers that allows that request to be made from the OUTSIDE over the WAN, so if you have one of these affected routers, anyone outside your network, can open up ports into your network using a little bit of packet "magic". It's a pretty big deal.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Ventoy 1.1.14

      By Copernic · Posted

      Ventoy 1.1.14 by Razvan Serea Ventoy is an open source tool to create bootable USB drive for ISO/WIM/IMG/VHD(x)/EFI files. With Ventoy, you don't need to format the disk over and over, you just need to copy the ISO/WIM/IMG/VHD(x)EFI files to the USB drive and boot them directly. You can copy many files at a time and ventoy will give you a boot menu to select them. Both Legacy BIOS and UEFI are supported in the same way. Most type of OS supported (Windows/WinPE/Linux/Unix/Vmware/Xen...) Ventoy features: 100% open source Simple to use Fast (limited only by the speed of copying iso file) Directly boot from ISO/WIM/IMG/VHD(x)/EFI file, no extraction needed Legacy + UEFI supported in the same way UEFI Secure Boot supported (since 1.0.07+) Persistence supported (since 1.0.11+) MBR and GPT partition style supported (1.0.15+) WIM files boot supported (Legacy + UEFI) (1.0.12+) IMG files boot supported (Legacy + UEFI) (1.0.19+) Auto installation supported (1.0.09+) File injection supported (1.0.16+) ISO files larger than 4GB supported Native boot menu style for Legacy & UEFI Most type of OS supported(Windows/WinPE/Linux/Unix/Vmware/Xen...), 550+ iso files tested Not only boot but also complete installation process ISO files can be listed in List mode/TreeView mode Linux vDisk boot supported (vdi/vhd/raw) "Ventoy Compatible" concept Plugin Framework Menu Alias/Menu Style/Customized Menu supported USB drive write-protected support USB normal use unaffected Data nondestructive during version upgrade No need to update Ventoy when a new distro is released Ventoy 1.1.14 changelog: Update secure boot shim file to solve the UEFI CA 2023 issue. The new release use a new CA, so you need to enroll the new key for the first boot time. VentoyPlugson update synchronously. Global control plugin add a VTOY_SECURE_BOOT_POLICY option. Notes Download: Ventoy 1.1.14 | 15.9 MB (Open Source) Download: Ventoy Live CD | 187.0 MB Link: Ventoy Home Page | Project Page @GitHub | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Save 83% on PRO$PER Lifetime Pass by Sterling Stock Picker

      By News Staff · Posted

      Save 83% on PRO$PER Lifetime Pass by Sterling Stock Picker by Steven Parker Today's deal from our Apps + Software section of the Neowin Deals store, lets you save 83% on PRO$PER Lifetime Pass by Sterling Stock Picker. Note: Only available to NEW users. This deal is exclusive to Stacksocial. Gain Financial Freedom Through Expert Education PRO$PER Financial Success System is a comprehensive financial education platform designed to help individuals build stronger money habits, make informed financial decisions, and create a clear path toward long-term wealth. The program includes 12+ in-depth financial courses, more than 150 lessons, personalized learning pathways, and a financial dashboard that tracks your progress and goals. Members receive lifetime access to expert-led training from seasoned financial educator Jaden Sterling, along with exclusive resources such as worksheets, eBooks, webinars, and practical implementation tools. The platform also features Finley AI, an intelligent financial coaching assistant that delivers personalized guidance, recommendations, and educational support tailored to your unique financial journey. Ideal for anyone looking to reduce debt, improve budgeting skills, grow investments, prepare for retirement, or achieve greater financial confidence and stability. Whether you're a beginner learning the fundamentals of personal finance or someone seeking to strengthen an existing financial plan, the platform provides actionable strategies and step-by-step guidance to help you reach your goals. Through personalized recommendations, community support, and AI-powered coaching, members can develop better financial habits, avoid common money mistakes, and stay focused on long-term success. By combining education with practical implementation, PRO$PER empowers users to build sustainable wealth, improve financial security, and create a stronger foundation for their future. Comprehensive Financial Training Made Simple Financial Success Blueprint: Learn the fundamentals of budgeting, saving, debt reduction, investing, retirement planning, and wealth creation. 12+ Comprehensive Financial Courses: Access a growing library of expert-led courses covering personal finance and money management. 150+ Financial Lessons: Explore a wide range of educational content designed to strengthen your financial knowledge. Lifetime Access: Enjoy unlimited access to all current and future training materials at your own pace. Self-Paced Learning: Study anytime, anywhere, with no deadlines or fixed class schedules. Expert-Led Instruction: Learn from experienced financial educator and mentor Jaden Sterling. Step-by-Step Learning Paths: Follow structured roadmaps that simplify complex financial topics. AI-Powered Support for Financial Success Finley AI Financial Coach: Get on-demand guidance, insights, and support from an AI-powered financial assistant. Personalized Financial Dashboard: Track financial goals, confidence levels, progress, and areas for improvement. Tailored Learning Recommendations: Receive customized course suggestions based on your profile and objectives. Investment & Wealth-Building Insights: Explore strategies to grow wealth and make informed financial decisions. Resources and Support to Thrive Financially Decision-Making Support: Gain confidence in managing money, investing, and long-term planning. Community Support Network: Connect with like-minded members, share experiences, and learn from others. Exclusive Educational Resources: Access eBooks, worksheets, webinars, guides, and practical financial tools. Actionable Learning Approach: Apply concepts immediately through exercises, implementation strategies, and real-world examples. Good to know Length of access: Lifetime Redemption deadline: redeem your code within 60 days of purchase Access Options: Desktop and mobile Max number of devices: Unlimited Updates included Only available to NEW users PRO$PER Lifetime Pass by Sterling Stock Picker normally costs $499 but it can be yours for only $79.99, that's a saving of $420 (83%) off! For terms, and more details click the link below. PRO$PER Lifetime Pass by Sterling Stock Picker at 83% off (was $499) Although priced in U.S. dollars, this deal is available for digital purchase worldwide. Support queries If you have queries or need support for any of the Neowin Deals, please use the contact form here. Neowin Deals are managed and sold by StackCommerce who represent Neowin on an affiliate basis. Why we post these deals We post these because we earn commission on each sale so as not to rely solely on advertising, which many of our readers block. It all helps toward paying staff reporters, servers and hosting costs. So for those that keep moaning and complaining, be thankful we're still online for you to even do that. Other ways to support Neowin Whitelist Neowin by not blocking our ads Create a free member account to see fewer ads Make a donation to support our day to day running costs Subscribe to Neowin - for $14 a year, or $28 a year for an ad-free experience Disclosure: Neowin benefits from revenue of each sale made through our branded deals site powered by StackCommerce.
    • AMD confirms 26.6.2 FSR driver breaks on many Windows PCs

      By Mockingbird · Posted

      Windows 10 is end-of-life (EOL) anyway.
    • Grand Theft Auto VI pricing revealed alongside Ultimate Edition and pre-loading details

      By Asgardi · Posted

      So I predicted the pricing exactly correctly...
    • AMD confirms 26.6.2 FSR driver breaks on many Windows PCs

      By Mockingbird · Posted

      1. It only affects Windows 10, which is EOL anyway. 2. NVIDIA had very serious driver issues for >6 months after the GeForce RTX 5000 series came out.

  • Recent Achievements

    • First Post
      Tom Schmidt earned a badge
      First Post
    • One Month Later
      D0nn13 earned a badge
      One Month Later
    • Rookie
      +ChiefOfNeo went up a rank
      Rookie
    • One Year In
      Tom Schmidt earned a badge
      One Year In
    • One Month Later
      Tom Schmidt earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      456
    2. 2
      +Edouard
      177
    3. 3
      PsYcHoKiLLa
      123
    4. 4
      Michael Scrip
      84
    5. 5
      Xenon
      76
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!