Attackers abuse the Universal Plug and Play (UPnP) protocol that comes with routers and uses the devices to create a powerful proxy network to effectively hide the origin location of the traffic origin.
It appears attackers used this multi-purpose proxy botnet to launch various attacks such as DDoS, Account take over, Credit Card Fraud, Click Fraud, Spamming, and Phishing.
UPnP is a service that makes’s the connectivity ease, it allows devices to expose connection and service automatically to other devices connected to the local network.
Akamai published the report on how the UPnP-enabled devices detected as participants in attacks, “we discovered that some devices appeared to be more susceptible to this vulnerability than others, and contained malicious NAT injections”.
Attackers obtain required information to connect with TCP-enabled UPnP daemon through SSDP probe response and by modifying local IP address to public IP address allows the attacker to establish the connection with UPnP daemon.
Now hackers can inject bypassing local firewall to access the access the Internal IP address beyond the router or pointing the router itself to the IP or domain that presented outside of the LAN network.
According to Akamai report “In initial Internet-wide scans, over 4.8 million devices were found to be vulnerable to simple UDP SSDP (the UDP portion of UPnP) inquiries. Of these, roughly 765,000 (16% of total) of the identified devices were confirmed to also expose their vulnerable TCP implementations. Over 65,000 (9% of vulnerable, 1.3% of total) of these vulnerable devices were discovered to have NAT injections”.
By having a widely distributed Multilayer proxy network that comprises encrypted and millions of unique IP address around the world the botnet authors post a tremendous challenge for investigations.
Researchers said there is no easy way for a human to audit or modify them on the devices themselves and the best way is to audit your NAT table entries.
A wide range of the devices affected by this vulnerability that covers 73 brands/manufacturers and close to 400 models. The possible mitigation is to replace the device or to disable vulnerable UPnP services.
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…