List being updated whose vulnerability is confirmed:
A vulnerability named CallStranger and numbered CVE-2020-12695 was discovered and privately reported in late 2019 to the Open Connectivity Foundation (#OCF) by the security researcher named Yunus Çadırcı .
Many devices are vulnerable, by their direct connection to the Internet, or by their implementation in DMZ and/or via port forwarding mechanisms (#PAT) exhibitors to the Internet.
There is a high probability of exploiting this exposed equipment in order to set up distributed denial of service attacks #DDOS.
In addition, this vulnerability can allow:
OCF updated the standard’ specifications on April 17, 2020 and warned most of the concerned sellers that the update should be incorporated into their products. As this vulnerability affects a protocol and a multitude of peripherals, it is very likely that many devices will remain in production for a long time without benefiting from an update.
A regularly updated website containing information about the vulnerability is available at:
The researcher has made available a detailed report available on GITHUB .
TEHTRIS CERT recommends checking if your equipment directly connected to the Internet does not have the active UPnP protocol and if so, to deactivate it.
In general, the defense in depth principle requires disabling unnecessary services in order to decrease the attack surface of your systems.
If you need advice or help in finding and securing your equipment, the TEHTRIS team is at your disposal at the contact points indicated on our website https://tehtris.com/en/contact/