CVE-2013-0230

EXPLOITED

miniupnpd 1.0 - Remote Code Execution via Long Quoted Method in SOAPAction Handler

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2013-0230 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Metasploit, Todor Donev, Onur Alanbel (BGA), including a Metasploit module exploits/linux/upnp/miniupnpd_soap_bof.

AI-analyzed exploit summary This Metasploit module exploits a stack buffer overflow in MiniUPnPd 1.0 via a malformed SOAPAction HTTP header, allowing remote code execution. The exploit constructs a payload with a jump instruction, valid SOAP action, and shellcode, targeting a specific return address to bypass stack protections.

Description

Stack-based buffer overflow in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers to execute arbitrary code via a long quoted method.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/25975

This Metasploit module exploits a stack buffer overflow in MiniUPnPd 1.0 via a malformed SOAPAction HTTP header, allowing remote code execution. The exploit constructs a payload with a jump instruction, valid SOAP action, and shellcode, targeting a specific return address to bypass stack protections.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MiniUPnPd 1.0
No auth needed
Prerequisites: Network access to the target's MiniUPnPd service (port 5555 by default) · Target running MiniUPnPd 1.0 on a vulnerable platform (e.g., Debian GNU/Linux 6.0)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Todor Donev · perldoshardware
https://www.exploit-db.com/exploits/37517

This Perl script exploits CVE-2013-0230, a denial-of-service vulnerability in miniupnpd/1.0. It crafts a malformed SSDP packet with an oversized payload and sends it via raw sockets to crash the target service.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: miniupnpd/1.0
No auth needed
Prerequisites: raw socket permissions (root access) · target device with vulnerable miniupnpd service exposed on UDP port 1900
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Onur Alanbel (BGA) · pythonremotemultiple
https://www.exploit-db.com/exploits/36839

This exploit targets a stack overflow vulnerability in MiniUPnPd 1.0 (CVE-2013-0230) on AirTies RT Series routers, delivering a reverse shell via a crafted SOAP request. It uses MIPS shellcode and ROP gadgets to bypass protections and execute arbitrary code.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MiniUPnPd 1.0 on AirTies RT Series
No auth needed
Prerequisites: Network access to the target device · SOAP service exposed on port 5555
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC NORMAL
by hdm, Dejan Lukan, Onur ALANBEL · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb

This Metasploit module exploits a stack buffer overflow in MiniUPnPd 1.0 via the SOAPAction HTTP header, allowing remote code execution on vulnerable systems. It includes targets for Debian GNU/Linux 6.0 and Airties RT-212 devices.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MiniUPnPd 1.0
No auth needed
Prerequisites: Network access to the target device · MiniUPnPd 1.0 running on port 5555
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

EPSS 0.6594
EPSS Percentile 98.5%

Details

VulnCheck KEV 2018-07-13
CWE
CWE-119
Status published
Products (1)
miniupnp_project/miniupnpd 1.0
Published Jan 31, 2013
Tracked Since Feb 18, 2026