CVE-2012-5960

portable SDK for UPnP Devices < 1.6.18 - Stack-based Buffer Overflow via UDN Field in UDP Packet

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2012-5960. PoCs published by finn79426.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2012-5960, a denial-of-service (DoS) vulnerability in libupnp 1.6.13. The exploit sends a malformed SSDP M-SEARCH request with an overly long UUID field to trigger a buffer overflow, causing the target service to crash.

Description

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a long UDN (aka upnp:rootdevice) field in a UDP packet.

Exploits (2)

nomisec WORKING POC
by finn79426 · poc
https://github.com/finn79426/CVE-2012-5960-PoC

This repository contains a proof-of-concept exploit for CVE-2012-5960, a denial-of-service (DoS) vulnerability in libupnp 1.6.13. The exploit sends a malformed SSDP M-SEARCH request with an overly long UUID field to trigger a buffer overflow, causing the target service to crash.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: libupnp 1.6.13
No auth needed
Prerequisites: Network access to the target's SSDP service (UDP port 1900)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
rubyremoteunix
https://www.exploit-db.com/exploits/24455

This Metasploit module exploits a buffer overflow in the `unique_service_name()` function of libupnp's SSDP processor, allowing remote code execution on vulnerable devices. It stages the payload via a secondary TCP connection due to size limitations.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Portable UPnP SDK (libupnp) versions including Intel SDK for UPnP Devices 1.3.1
No auth needed
Prerequisites: Network access to UDP port 1900 · Vulnerable UPnP service running on target
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (13)

Core 13
Core References
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2013:098
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2013/dsa-2615
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2013/dsa-2614
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/57602
Product x_refsource_confirm
http://pupnp.sourceforge.net/ChangeLog
Patch, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/922681
Third Party Advisory x_refsource_misc
https://www.tenable.com/security/research/tra-2017-10
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-02/msg00013.html
Third Party Advisory x_refsource_confirm
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0037

Scores

EPSS 0.5599
EPSS Percentile 98.2%

Details

CWE
CWE-119
Status published
Products (26)
portable_sdk_for_upnp_project/portable_sdk_for_upnp 1.4.0
portable_sdk_for_upnp_project/portable_sdk_for_upnp 1.4.1
portable_sdk_for_upnp_project/portable_sdk_for_upnp 1.4.2
portable_sdk_for_upnp_project/portable_sdk_for_upnp 1.4.3
portable_sdk_for_upnp_project/portable_sdk_for_upnp 1.4.4
portable_sdk_for_upnp_project/portable_sdk_for_upnp 1.4.5
portable_sdk_for_upnp_project/portable_sdk_for_upnp 1.4.6
portable_sdk_for_upnp_project/portable_sdk_for_upnp 1.4.7
portable_sdk_for_upnp_project/portable_sdk_for_upnp 1.6.0
portable_sdk_for_upnp_project/portable_sdk_for_upnp 1.6.1
... and 16 more
Published Jan 31, 2013
Tracked Since Feb 18, 2026