CallStranger: Universal Plug and Play (UPnP) Protocol Vulnerability Could Affect “Billions of Devices” (CVE-2020-12695)

Earlier today, a researcher named Yunus Çadirci released an advisory for CVE-2020-12695, a vulnerability in the Universal Plug and Play (UPnP) protocol. Dubbed “CallStranger,” the flaw exists in the UPnP SUBSCRIBE function used to track changes in other devices and services on a network.

Because this is a protocol level vulnerability, Open Connectivity Foundation (OCF), the current maintainers of UPnP, have released an updated protocol specification document. At the time this was posted, no patches have been published yet for this flaw. However, we anticipate that vendors are in the process of either developing or preparing to release their patches.

For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.