CVE-2012-5958

EXPLOITED

libupnp < 1.6.18 - Remote Code Execution via SSDP Unique Service Name Parsing

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2012-5958 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including Patrik Lantz, lochiiconnectivity, hmrumman777-beep, including a Metasploit module exploits/multi/upnp/libupnp_ssdp_overflow.

AI-analyzed exploit summary This exploit triggers a stack-based buffer overflow in libupnp versions <= 1.6.6 by sending a maliciously crafted M-SEARCH SSDP packet with an oversized 'ST' header. The payload consists of 324 'A' characters followed by 'BBBB', designed to crash the service (DoS).

Description

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a UDP packet with a crafted string that is not properly handled after a certain pointer subtraction.

Exploits (5)

exploitdb WORKING POC
by Patrik Lantz · pythondoslinux
https://www.exploit-db.com/exploits/49119

This exploit triggers a stack-based buffer overflow in libupnp versions <= 1.6.6 by sending a maliciously crafted M-SEARCH SSDP packet with an oversized 'ST' header. The payload consists of 324 'A' characters followed by 'BBBB', designed to crash the service (DoS).

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: libupnp <= 1.6.6
No auth needed
Prerequisites: Network access to the target's SSDP service (UDP port 1900)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 1 stars
by lochiiconnectivity · poc
https://github.com/lochiiconnectivity/vulnupnp

This Perl script scans for UPnP devices vulnerable to CVE-2013-0229, CVE-2013-0230, CVE-2012-5958, and CVE-2012-5959 by sending an M-SEARCH request and analyzing the response for known vulnerable software versions.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: MiniUPnPd (versions 1.0, 1.0-1.3), Intel SDK for UPnP devices, Portable SDK for UPnP devices
No auth needed
Prerequisites: Network access to the target device's UPnP service (UDP port 1900)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by hmrumman777-beep · poc
https://github.com/hmrumman777-beep/NetAudit-IoT

The repository contains a reconnaissance tool for detecting vulnerable libupnp versions (CVE-2012-5958) via banner grabbing and XML fuzzing, but does not include functional exploit code for achieving RCE.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: libupnp 1.6.19
No auth needed
Prerequisites: network access to target device · UPnP service exposed on port 1900
devstral-2 · analyzed Apr 28, 2026 Full analysis →
exploitdb WORKING POC
rubyremoteunix
https://www.exploit-db.com/exploits/24455

This Metasploit module exploits a buffer overflow in the `unique_service_name()` function of libupnp's SSDP processor, allowing remote code execution on vulnerable devices. It stages the payload over a secondary TCP connection due to size limitations.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Portable UPnP SDK (libupnp) 1.3.1
No auth needed
Prerequisites: Network access to the target device's SSDP service (UDP port 1900) · Vulnerable version of libupnp running on the target
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC NORMAL
by hdm · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb

This Metasploit module exploits a buffer overflow in the `unique_service_name()` function of libupnp's SSDP processor, allowing remote code execution on vulnerable devices. It stages the payload over a secondary TCP connection due to size limitations.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Portable UPnP SDK (libupnp) versions 1.3.1 and 1.4.1
No auth needed
Prerequisites: Network access to the target device on port 1900 (SSDP) · Vulnerable version of libupnp running on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (18)

Core 18
Core References
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2013:098
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2013/dsa-2615
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2013/dsa-2614
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/57602
Product x_refsource_confirm
http://pupnp.sourceforge.net/ChangeLog
Patch, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/922681
Third Party Advisory x_refsource_misc
https://www.tenable.com/security/research/tra-2017-10
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-02/msg00013.html
Third Party Advisory x_refsource_confirm
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0037

Scores

EPSS 0.8795
EPSS Percentile 99.5%

Details

VulnCheck KEV 2018-07-13
CWE
CWE-119
Status published
Products (26)
libupnp_project/libupnp 1.4.0
libupnp_project/libupnp 1.4.1
libupnp_project/libupnp 1.4.2
libupnp_project/libupnp 1.4.3
libupnp_project/libupnp 1.4.4
libupnp_project/libupnp 1.4.5
libupnp_project/libupnp 1.4.6
libupnp_project/libupnp 1.4.7
libupnp_project/libupnp 1.6.0
libupnp_project/libupnp 1.6.1
... and 16 more
Published Jan 31, 2013
Tracked Since Feb 18, 2026