Multiple vulnerabilities identified in Universal Plug and Play (UPnP)

Security researchers have identified multiple vulnerabilities in libupnp, the open source portable SDK for Universal Plug and Play (UPnP) devices. Libupnp is employed by hundreds of vendors for UPnP-enabled media devices designed to support automatic discovery and service configuration.

The NCSC recommends that affected UPnP device vendors and developers obtain and employ libupnp version 1.6.18, which addresses these vulnerabilities.

It is also advised that network administrators review the full details of CERT Vulnerability Note VU#922681 and disable UPnP (if possible), as well as restricting access to SSDP (1900/udp & tcp) and Simple Object Access Protocol (SOAP) services from untrusted networks like the Internet.