UPnP CallStranger vulnerability

A new critical vulnerability has been detected. It interferes in the UPnP (Universal Plug and Play) protocol directly affecting the majority of Internet of Things (IoT) devices.


  • Remote code execution
  • Data exfiltration
  • Involuntary participation in a DDoS attack
Ordinateur ayant contracté la vulnérabilité UPnP CallStranger
UPnP CallStranger Vulnerability

Affected Systems

List of systems being updated whose vulnerability is confirmed:

  • Windows 10 – upnphost.dll 10.0.18362.719
  • Xbox One – OS Version 10.0.19041.2494
  • ADB TNR-5720SX Box (TNR-5720SX/v16.4-rc-371-gf5e2289 UPnP/1.0 BH-upnpdev/2.0)
  • ASUS Media Streamer
  • ASUS Rt-N11
  • Belkin WeMo
  • Broadcom ADSL Modems
  • Canon SELPHY CP1200 Printer
  • Cisco X1000 – (LINUX/2.4 UPnP/1.0 BRCM400/1.0)
  • Cisco X3500 – (LINUX/2.4 UPnP/1.0 BRCM400/1.0)
  • D-Link DVG-N5412SP WPS Router (OS 1.0 UPnP/1.0 Realtek/V1.3)
  • Epson EP, EW, XP Series (EPSON_Linux UPnP/1.0 Epson UPnP SDK/1.0)
  • HP Deskjet, Photosmart, Officejet ENVY Series (POSIX, UPnP/1.0, Intel MicroStack/1.0.1347)
  • Huawei HG255s Router – Firmware HG255sC163B03 (ATP UPnP Core)
  • NEC Access Technica WR8165N Router (OS 1.0 UPnP/1.0 Realtek/V1.3)
  • Philips 2k14MTK TV – Firmware TPL161E_012.003.039.001
  • Samsung UE55MU7000 TV – Firmware T-KTMDEUC-1280.5, BT – S
  • Samsung MU8000 TV
  • TP-Link TL-WA801ND (Linux/2.6.36, UPnP/1.0, Portable SDK for UPnP devices/1.6.19)
  • TRENDnet TV-IP551W (OS 1.0 UPnP/1.0 Realtek/V1.3)
  • Zyxel VMG8324-B10A (LINUX/2.6 UPnP/1.0 BRCM400-UPnP/1.0)


A vulnerability named CallStranger and numbered CVE-2020-12695 was discovered and privately reported in late 2019 to the Open Connectivity Foundation (#OCF) by the security researcher named Yunus Çadırcı [1].

Many devices are vulnerable, by their direct connection to the Internet, or by their implementation in DMZ and/or via port forwarding mechanisms (#PAT) exhibitors to the Internet.

There is a high probability of exploiting this exposed equipment in order to set up distributed denial of service attacks #DDoS.

In addition, this vulnerability can allow:

  • discover the network services of a local network (via a port scan overcoming perimeter network protections);
  • to infiltrate data, even if the flows leaving the local network are filtered, by equipment (such as proxy servers or devices for protecting sensitive information #DLP).

OCF updated the standard’ specifications on April 17, 2020 and warned most of the concerned sellers that the update should be incorporated into their products. As this vulnerability affects a protocol and a multitude of peripherals, it is very likely that many devices will remain in production for a long time without benefiting from an update.


“>NTA now includes a specific detection rule allowing the detection of the exploitation of this vulnerability within the TEHTRIS XDR
“>XDR Platform.

A regularly updated website containing information about the vulnerability is available at:


The researcher has made available a detailed report available on GITHUB [2].

 [1] https://twitter.com/yunuscadirci

[2] https://github.com/yunuscadirci/CallStranger/blob/master/CallStranger%20-%20Technical%20Report.pdf


TEHTRIS CERT recommends checking if your equipment directly connected to the Internet does not have the active UPnP protocol and if so, to deactivate it.

In general, the defense in depth principle requires disabling unnecessary services in order to decrease the attack surface of your systems.

If you need advice or help in finding and securing your equipment, the TEHTRIS team is at your disposal at the contact points indicated on our website https://tehtris.com/en/contact/

/// Sources