CVE-2020-12695
Description
CVE-2020-12695 (CallStranger) exploits the UPnP SUBSCRIBE Callback header to force devices into SSRF-like attacks, enabling data exfiltration, DDoS amplification, and internal port scanning.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2020-12695 (CallStranger) exploits the UPnP SUBSCRIBE Callback header to force devices into SSRF-like attacks, enabling data exfiltration, DDoS amplification, and internal port scanning.
Vulnerability
CVE-2020-12695, known as CallStranger, is a vulnerability in the Universal Plug and Play (UPnP) protocol specification maintained by the Open Connectivity Foundation (OCF) [1][3]. The flaw resides in the SUBSCRIBE function, which allows a caller to request event notifications and specify a Callback header containing a delivery URL. The specification before 2020-04-17 does not require that this callback URL reside on the same network segment as the original subscription request [1][3]. This enables a server-side request forgery (SSRF)-like condition in billions of devices that implement the affected UPnP stack, including personal computers, networking equipment, game consoles, and IoT devices [1][3]. Versions of the UPnP specification prior to the 2020-04-17 update are affected [1][3].
Exploitation
An attacker can send a crafted HTTP SUBSCRIBE request to a vulnerable UPnP device, setting the Callback header to an arbitrary URL [1][3][4]. No authentication is required if the device exposes UPnP on a reachable network interface. The vulnerable device then sends an HTTP NOTIFY request to the attacker-supplied URL when the subscribed event occurs [4]. This allows the attacker to force the device to connect to any destination, regardless of network segmentation. Exploitation requires only network access to the UPnP endpoint; no user interaction is needed beyond the initial device configuration [4]. Proof-of-concept code is publicly available [1][2].
Impact
Successful exploitation yields three primary impacts [1][3][4]: 1. Data exfiltration – an attacker can encode sensitive data into the callback URL, causing the UPnP device to send that data to an external server, bypassing Data Loss Prevention (DLP) controls [1][4]. 2. Amplified DDoS – the attacker can reflect and amplify TCP traffic toward a victim by causing many UPnP devices to connect simultaneously to the target, overwhelming it [1][3]. 3. Internal port scanning – an internet-facing UPnP device can be used to scan internal network ports of other assets, revealing services behind firewalls [1][4].
The attacker effectively gains an SSRF primitive with the trust level and network position of the compromised device, which may be inside a protected network segment.
Mitigation
The OCF updated the UPnP specification on 2020-04-17 to reject subscription requests where the Callback URL does not match the network segment of the original request [1][3]. Device vendors must implement this updated specification in firmware updates. As a workaround, users can disable UPnP on firewalls and network devices, or block TCP port 2869 and other UPnP-related ports at the perimeter [4]. Network monitoring with Zeek or similar tools can detect anomalous SUBSCRIBE requests with mismatched callback hosts [4]. As of the publication date, the vulnerability is not listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog.
References
[1] GitHub - yunuscadirci/CallStranger: Vulnerability checker for Callstranger (CVE-2020-12695) [2] Packet Storm - CallStranger UPnP Vulnerability Checker [3] Tenable Blog - CVE-2020-12695: CallStranger Vulnerability in Universal Plug and Play (UPnP) [4] Corelight Blog - Detecting the CallStranger UPnP Vulnerability With Zeek
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
15- Open Connectivity Foundation/UPnP specificationdescription
- Range: < before 2020-04-17
- osv-coords13 versionspkg:rpm/almalinux/gssdppkg:rpm/almalinux/gssdp-develpkg:rpm/almalinux/gssdp-docspkg:rpm/almalinux/gupnp-develpkg:rpm/opensuse/gupnp&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/hostapd&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/hostapd&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/minidlna&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/minidlna&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/minidlna&distro=openSUSE%20Tumbleweedpkg:rpm/suse/hostapd&distro=SUSE%20Package%20Hub%2015%20SP2pkg:rpm/suse/minidlna&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/minidlna&distro=SUSE%20Package%20Hub%2015%20SP2
< 1.0.5-1.el8+ 12 more
- (no CPE)range: < 1.0.5-1.el8
- (no CPE)range: < 1.0.5-1.el8
- (no CPE)range: < 1.0.5-1.el8
- (no CPE)range: < 1.0.6-1.el8
- (no CPE)range: < 1.2.7-2.2
- (no CPE)range: < 2.9-lp152.2.3.1
- (no CPE)range: < 2.9-6.2
- (no CPE)range: < 1.3.0-lp151.3.3.1
- (no CPE)range: < 1.3.0-lp152.4.3.1
- (no CPE)range: < 1.3.0-2.7
- (no CPE)range: < 2.9-bp152.2.3.1
- (no CPE)range: < 1.3.0-bp151.2.3.1
- (no CPE)range: < 1.3.0-bp152.4.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of the Callback header in the UPnP SUBSCRIBE function allows an attacker to specify an arbitrary delivery URL on any network segment."
Attack vector
An attacker sends a specially crafted HTTP SUBSCRIBE request to a vulnerable UPnP device, controlling the Callback header value [ref_id=1]. The UPnP device does not validate the callback URL, so the attacker can supply an arbitrary URL pointing to an external server, an internal host, or a target to flood [ref_id=2]. When the subscribed event occurs, the device sends an HTTP NOTIFY request to that arbitrary URL, enabling three attack scenarios: data exfiltration (by encoding stolen data into the callback URL), reflected amplified TCP DDoS (by flooding a target with SYN packets from many UPnP devices), and intranet port scanning (by probing internal hosts from an internet-exposed UPnP device) [ref_id=1][ref_id=2]. The attacker does not need authentication; the only precondition is network access to a UPnP-enabled device that accepts SUBSCRIBE requests.
Affected code
The vulnerability resides in the UPnP SUBSCRIBE function, which is part of the UPnP protocol specification managed by the Open Connectivity Foundation (OCF) [ref_id=1]. The SUBSCRIBE feature allows an interested party to request notification of certain events occurring on a UPnP-enabled device, and it accepts a Callback header value (a delivery URL) without validating whether that URL is on a different network segment than the fully qualified event-subscription URL [ref_id=1][ref_id=2]. No specific file or function names are provided in the advisory beyond the protocol-level SUBSCRIBE function.
What the fix does
The Open Connectivity Foundation (OCF) addressed the vulnerability by making changes to the UPnP protocol specification as of 2020-04-17 [ref_id=1]. The fix requires that UPnP devices reject subscription requests where the delivery URL (the Callback header) is on a different network segment than the fully qualified event-subscription URL, preventing the SSRF-like abuse [ref_id=1]. Since this is a protocol-level fix, individual device manufacturers must implement the updated specification in their firmware; the advisory notes that patches will be released over time for supported devices [ref_id=1].
Preconditions
- networkAttacker must have network access to a UPnP-enabled device that accepts SUBSCRIBE requests (typically on TCP port 2869 or UDP 1900).
- authNo authentication is required; the SUBSCRIBE function is accessible without credentials on most UPnP implementations.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
15- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3SHL4LOFGHJ3DIXSUIQELGVBDJ7V7LB/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZDWHKGN3LMGSUEOAAVAMOD3IUIPJVOJ/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQEYVY4D7LASH6AI4WK3IK2QBFHHF3Q2/mitrevendor-advisoryx_refsource_FEDORA
- usn.ubuntu.com/4494-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020/dsa-4806mitrevendor-advisoryx_refsource_DEBIAN
- www.debian.org/security/2021/dsa-4898mitrevendor-advisoryx_refsource_DEBIAN
- packetstormsecurity.com/files/158051/CallStranger-UPnP-Vulnerability-Checker.htmlmitrex_refsource_MISC
- www.openwall.com/lists/oss-security/2020/06/08/2mitremailing-listx_refsource_MLIST
- corelight.blog/2020/06/10/detecting-the-new-callstranger-upnp-vulnerability-with-zeek/mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2020/08/msg00011.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2020/08/msg00013.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2020/12/msg00017.htmlmitremailing-listx_refsource_MLIST
- www.callstranger.commitrex_refsource_MISC
- www.kb.cert.org/vuls/id/339275mitrex_refsource_MISC
- www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-ofmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.