Categories: Security News

Over 65,000 Vulnerable Routers Abused by Multi-purpose Proxy Botnet

Attackers abuse the Universal Plug and Play (UPnP) protocol that comes with routers and uses the devices to create a powerful proxy network to effectively hide the origin location of the traffic origin.

It appears attackers used this multi-purpose proxy botnet to launch various attacks such as DDoS, Account take over, Credit Card Fraud, Click Fraud, Spamming, and Phishing.

UPnP is a service that makes’s the connectivity ease, it allows devices to expose connection and service automatically to other devices connected to the local network.

Akamai published the report on how the UPnP-enabled devices detected as participants in attacks, “we discovered that some devices appeared to be more susceptible to this vulnerability than others, and contained malicious NAT injections”.

How Attackers leverage UPnP Vulnerability

Attackers obtain required information to connect with TCP-enabled UPnP daemon through SSDP probe response and by modifying local IP address to public IP address allows the attacker to establish the connection with UPnP daemon.

Now hackers can inject bypassing local firewall to access the access the Internal IP address beyond the router or pointing the router itself to the IP or domain that presented outside of the LAN network.

UPnPUPnP
According to Akamai report “In initial Internet-wide scans, over 4.8 million devices were found to be vulnerable to simple UDP SSDP (the UDP portion of UPnP) inquiries. Of these, roughly 765,000 (16% of total) of the identified devices were confirmed to also expose their vulnerable TCP implementations. Over 65,000 (9% of vulnerable, 1.3% of total) of these vulnerable devices were discovered to have NAT injections”.

By having a widely distributed Multilayer proxy network that comprises encrypted and millions of unique IP address around the world the botnet authors post a tremendous challenge for investigations.

Researchers said there is no easy way for a human to audit or modify them on the devices themselves and the best way is to audit your NAT table entries.

A wide range of the devices affected by this vulnerability that covers 73 brands/manufacturers and close to 400 models. The possible mitigation is to replace the device or to disable vulnerable UPnP services.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

10 hours ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

10 hours ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

10 hours ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

10 hours ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

14 hours ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

14 hours ago