{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/upnp/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-27916"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["windows","upnp","privilege-escalation","cve-2026-27916"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-27916 is a critical use-after-free vulnerability affecting the Windows Universal Plug and Play (UPnP) Device Host service. This vulnerability allows an attacker with local access to elevate their privileges on the system. The vulnerability exists due to improper memory management within the UPnP service when handling specific network requests or device interactions. Successful exploitation could allow a low-privileged user or process to execute arbitrary code with elevated privileges, potentially leading to full system compromise. While specific exploitation details are not provided in the advisory, the nature of use-after-free vulnerabilities indicates the potential for reliable exploitation. This vulnerability requires local access, suggesting that it is likely part of a multi-stage attack.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, potentially through phishing or exploiting another vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies that the target system is running the vulnerable Windows UPnP Device Host.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious UPnP request designed to trigger the use-after-free condition within the UPnP service.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted UPnP request to the vulnerable service, triggering the memory corruption.\u003c/li\u003e\n\u003cli\u003eThe UPnP service attempts to access the freed memory, leading to a crash or, with careful manipulation, code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the use-after-free vulnerability to overwrite critical system structures in memory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the corrupted memory to inject and execute arbitrary code within the context of the UPnP service, which runs with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated privileges on the system, allowing them to perform actions such as installing software, modifying data, and creating new accounts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-27916 allows a local attacker to elevate privileges to SYSTEM. This could allow a malicious actor to gain complete control over an affected system, potentially leading to data theft, system compromise, and further lateral movement within a network. The vulnerability affects any system running the vulnerable Windows UPnP service. The impact is high due to the potential for full system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to patch CVE-2026-27916 on all affected Windows systems. Refer to the Microsoft advisory \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27916\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27916\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eEnable process auditing to monitor for unexpected processes being launched by the UPnP service (svchost.exe hosting the upnphost service) to aid in detecting potential exploitation attempts. Implement the \u0026ldquo;UPnP Device Host Spawning Suspicious Process\u0026rdquo; Sigma rule below, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious network activity originating from the UPnP service (svchost.exe).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-cve-2026-27916-upnp/","summary":"CVE-2026-27916 is a use-after-free vulnerability in Windows Universal Plug and Play (UPnP) Device Host that allows an authorized attacker to elevate privileges locally.","title":"CVE-2026-27916 Use-After-Free in Windows UPnP Device Host","url":"https://feed.craftedsignal.io/briefs/2026-04-cve-2026-27916-upnp/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-32156"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["use-after-free","windows","upnp","code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-32156 is a use-after-free vulnerability affecting the Windows Universal Plug and Play (UPnP) Device Host service. This vulnerability allows a local, unauthorized attacker to execute arbitrary code. The vulnerability arises from improper memory management within the UPnP service when handling device discovery or control requests. Successful exploitation requires specific conditions to trigger the use-after-free condition. The vulnerability was reported to Microsoft and assigned a CVSS v3.1 base score of 7.4, indicating a high severity. Exploitation of this vulnerability leads to arbitrary code execution, potentially allowing the attacker to gain elevated privileges on the affected system. It\u0026rsquo;s crucial for defenders to apply the patch released by Microsoft to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system through some other means (e.g., phishing, exploiting a different vulnerability, or physical access).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious UPnP device description or control message.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted message to the Windows UPnP Device Host service (upnphost.dll).\u003c/li\u003e\n\u003cli\u003eThe UPnP service parses the malicious message, triggering a use-after-free condition due to improper memory management.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the use-after-free condition to overwrite memory, gaining control of the program execution flow.\u003c/li\u003e\n\u003cli\u003eThe attacker injects and executes arbitrary code within the context of the UPnP Device Host service.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges from the UPnP Device Host service (running as Local Service) to SYSTEM.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution with SYSTEM privileges, allowing them to install malware, modify system settings, or steal sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32156 allows an attacker to execute arbitrary code with SYSTEM privileges on a vulnerable Windows system. This could allow the attacker to install malware, steal sensitive data, or take complete control of the affected system. The vulnerability is locally exploitable, meaning an attacker needs some form of access to the target machine to initiate the exploit. While no widespread exploitation has been reported, the potential impact of arbitrary code execution warrants immediate patching and monitoring.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to patch CVE-2026-32156 on all affected Windows systems (reference: \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32156)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32156)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious activity originating from the \u003ccode\u003eupnphost.dll\u003c/code\u003e or \u003ccode\u003esvchost.exe\u003c/code\u003e processes, which host the UPnP service. Use the Sigma rule provided to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable process auditing to capture detailed information about process creation and execution, which can aid in identifying exploitation attempts (reference: Sigma rule logsource).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T18:39:36Z","date_published":"2026-04-14T18:39:36Z","id":"/briefs/2026-04-upnp-use-after-free/","summary":"CVE-2026-32156 is a use-after-free vulnerability in the Windows Universal Plug and Play (UPnP) Device Host service that allows an unauthorized attacker to execute code locally.","title":"CVE-2026-32156 Use-After-Free Vulnerability in Windows UPnP Device Host","url":"https://feed.craftedsignal.io/briefs/2026-04-upnp-use-after-free/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["zyxel","router","command injection","cve-2026-13942","upnp"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical command injection vulnerability, tracked as CVE-2026-13942, has been discovered in the UPnP (Universal Plug and Play) service of Zyxel routers. The vulnerability stems from insufficient validation of input within the UPnP SOAP request processing.  An unauthenticated, remote attacker can exploit this flaw by sending specially crafted UPnP SOAP requests to the affected device. This allows the attacker to inject and execute arbitrary operating system commands with elevated privileges on…\u003c/p\u003e\n","date_modified":"2026-02-27T12:00:00Z","date_published":"2026-02-27T12:00:00Z","id":"/briefs/2026-02-zyxel-rce/","summary":"A critical command injection vulnerability (CVE-2026-13942) in the UPnP function of Zyxel routers allows remote attackers to execute arbitrary operating system commands by sending crafted UPnP SOAP requests.","title":"Critical Command Injection Vulnerability in Zyxel Routers (CVE-2026-13942)","url":"https://feed.craftedsignal.io/briefs/2026-02-zyxel-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Upnp","version":"https://jsonfeed.org/version/1.1"}