What Is UPnP?
Universal Plug and Play (UPnP) is a set of networking protocols that allows devices and applications on your local network to automatically discover each other and configure network settings — most importantly, to request that your router open specific ports without requiring manual configuration.
When a game console, streaming device, or peer-to-peer application needs to be reachable from the internet, it sends a UPnP request to your router asking it to forward a specific external port to that device. The router complies automatically, without requiring you to log into the admin panel and create a port forwarding rule manually.
This is convenient for consumers: gaming consoles achieving NAT Type "Open" without manual configuration, Skype and video conferencing working without firewall tweaks, home NAS devices becoming accessible remotely. The tradeoff is security — you're delegating port forwarding decisions to software on your network rather than maintaining manual control.
Check which ports are currently forwarded on your router by reviewing its UPnP status page (usually under WAN, NAT, or Advanced settings), and verify external visibility with our port checker.
How UPnP Works Technically
UPnP operates using several underlying protocols:
- SSDP (Simple Service Discovery Protocol) — used to discover UPnP-capable devices on the network. Devices broadcast their presence via UDP multicast to 239.255.255.250:1900.
- SOAP (Simple Object Access Protocol) — XML-based protocol used by devices to send control requests to the router's UPnP service.
- IGD (Internet Gateway Device) — the specific UPnP service profile that routers expose, which includes the AddPortMapping action used to create port forwarding rules.
The typical flow:
- A game (running on your PC) sends an SSDP discovery broadcast looking for an Internet Gateway Device
- Your router responds, advertising its UPnP control URL
- The game sends a SOAP AddPortMapping request: "Please forward external port 3074 UDP to internal IP 192.168.1.50 port 3074"
- The router creates the rule and responds with success
- The game can now receive connections from the internet on that port
These mappings are typically temporary (they expire or are removed when the application closes), though some implementations create permanent rules. Check your router's UPnP port mapping table periodically to see what's been opened.
UPnP Security Risks
UPnP has a well-documented history of security vulnerabilities that affect both the protocol design and common implementations:
Local network trust exploitation: UPnP assumes all devices on your local network are trusted. Malware running on any device in your home can issue UPnP requests to expose any port to the internet — including creating reverse tunnels for command-and-control. A single infected device can compromise your entire network perimeter via UPnP.
Exposed control interface: Until 2013, many routers responded to UPnP SSDP discovery requests from the internet, not just the local network — meaning attackers could find and manipulate UPnP from outside your network. The FBI's 2013 warning about the "UPnP vulnerability" referred to this specific flaw (CVE-2012-5958 and related issues in libupnp). Modern routers have patched this, but legacy devices may still be vulnerable.
Weak authentication: Standard UPnP has no authentication mechanism. Any application on your local network can open any port, forward to any internal IP, or even reroute traffic — without any credential check.
Botnet abuse: The Mirai and related botnets leveraged UPnP extensively to expose devices and create proxy infrastructure. UPnP-enabled routers have been used to build covert SSDP amplification DDoS capabilities.
Check What Ports Are Open on Your Network
See which ports are publicly exposed on your IP with our instant port checker
Hide My IP NowShould You Disable UPnP?
The security community is divided, but the general recommendation for security-conscious users is to disable UPnP:
Arguments for disabling UPnP:
- Eliminates an entire class of local privilege escalation that allows malware to punch through your NAT
- Forces explicit review of every port forwarding rule you create
- Removes attack surface from your router's software stack
- Aligns with "default deny" security philosophy
Arguments for keeping UPnP enabled:
- Convenience for gaming consoles (Xbox, PlayStation achieve "Open NAT" which improves connectivity)
- Modern implementations on patched routers have largely addressed the internet-facing exposure issue
- For average home users without malware-infected devices, the practical risk is low
The middle ground: If you have gaming consoles or smart devices that rely on UPnP, keep it enabled but audit the port mapping table monthly. If you run a network with any servers or take security seriously, disable UPnP and create manual port forwarding rules for anything that legitimately needs external access. Verify with our port checker that only intended ports are exposed.
How to Check and Control UPnP on Your Router
Managing UPnP on your home router:
View current UPnP port mappings: Log into your router admin panel. Look for UPnP settings under WAN, NAT, Firewall, or Advanced. Most routers show a table of active UPnP-created port mappings. Review this list and investigate any unfamiliar entries — these may indicate applications (or malware) that opened ports without your knowledge.
Disable UPnP: Find the UPnP toggle in your router settings and disable it. After disabling, run our port checker to confirm previously UPnP-opened ports are now closed.
Enable UPnP logging: Some routers log UPnP requests. Enabling this gives you visibility into which devices are requesting port mappings and when.
Test UPnP exposure with a tool: GRC's ShieldsUP (grc.com) includes a UPnP exposure test. The Rapid7 ScanNow tool (now available as Metasploit module) can test whether your UPnP is responding to external requests.
For devices that need port forwarding (home servers, game servers, NAS), create manual port forwarding rules after disabling UPnP. This gives you full visibility and control over your network's attack surface. Cross-reference with common port numbers to understand what each service requires.
Frequently Asked Questions
Does disabling UPnP break gaming?
It may change your NAT type from 'Open' to 'Moderate' or 'Strict' on gaming consoles. Moderate NAT still allows gaming but may prevent direct peer-to-peer connections with some players. To restore Open NAT without UPnP, manually forward the specific ports your console needs (PlayStation typically uses 1935, 3478–3480; Xbox uses 3074, 3075; Nintendo Switch uses 1-65535 UDP, but practically just 1-30000). Look up your console's specific port requirements.
How can I tell if malware is using UPnP to open ports?
Check your router's UPnP port mapping table for unrecognized entries. If you see ports mapped to your PC that you didn't create, investigate the application. On your PC, use <code>netstat -ano</code> to find which process is listening on that port, then look up the process in Task Manager. Unexpected port mappings to common command-and-control ports (8080, 4444, 9001, etc.) are red flags.
Is UPnP the same as port forwarding?
UPnP is an automated way to create port forwarding rules. Manual port forwarding and UPnP-created rules accomplish the same thing — directing external traffic on a specific port to an internal device. The difference is that manual rules are created by you through the router admin panel, while UPnP rules are created automatically by applications on your network. Both types typically appear in the same port forwarding table.
Which devices use UPnP?
Gaming consoles (Xbox, PlayStation, Nintendo Switch), torrent clients (qBittorrent, uTorrent), Skype and similar VoIP clients, peer-to-peer file sharing applications, Plex Media Server, home NAS devices, smart TVs, and many IoT devices all use UPnP by default. Check which applications on your network request UPnP by reviewing your router's UPnP mapping table.
