CVE-2020-12695

HIGH

Open Connectivity Foundation UPnP <2020-04-17 - SSRF

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-12695. PoCs published by yunuscadirci, corelight.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2020-12695 (CallStranger), a vulnerability in UPnP devices that allows for SSRF, DDoS amplification, and data exfiltration. The PoC includes scripts to subscribe to UPnP services and verify their vulnerability by interacting with a remote server.

Description

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

Exploits (2)

nomisec WORKING POC 403 stars
by yunuscadirci · poc
https://github.com/yunuscadirci/CallStranger

This repository contains a proof-of-concept exploit for CVE-2020-12695 (CallStranger), a vulnerability in UPnP devices that allows for SSRF, DDoS amplification, and data exfiltration. The PoC includes scripts to subscribe to UPnP services and verify their vulnerability by interacting with a remote server.

Classification
Working Poc 95%
Attack Type
Ssrf
Complexity
Moderate
Reliability
Reliable
Target: UPnP devices with vulnerable implementations
No auth needed
Prerequisites: Network access to vulnerable UPnP device · External server to verify vulnerability
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 6 stars
by corelight · poc
https://github.com/corelight/callstranger-detector

This repository provides a Zeek package for detecting CallStranger (CVE-2020-12695) exploitation attempts, focusing on UPnP SUBSCRIBE and NOTIFY commands to identify potential DDoS amplification or data exfiltration. It includes configuration options for tuning detection thresholds and ignoring false positives.

Classification
Writeup 100%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: UPnP devices
No auth needed
Prerequisites: UPnP traffic exposure · Zeek installation
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (17)

Core 17
Core References
Broken Link x_refsource_misc
https://www.callstranger.com
Third Party Advisory, US Government Resource x_refsource_misc
https://www.kb.cert.org/vuls/id/339275
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2020/06/08/2
Third Party Advisory x_refsource_misc
https://github.com/yunuscadirci/CallStranger
Third Party Advisory x_refsource_misc
https://github.com/corelight/callstranger-detector
Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/08/msg00011.html
Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/08/msg00013.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4494-1/
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4806
Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/12/msg00017.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-4898

Scores

CVSS v3 7.5
EPSS 0.1519
EPSS Percentile 96.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:H

Details

CWE
CWE-276
Status published
Products (50)
asus/rt-n11
broadcom/adsl
canon/selphy_cp1200
canonical/ubuntu_linux 20.04
cisco/wap131
cisco/wap150
cisco/wap351
debian/debian_linux 9.0
debian/debian_linux 10.0
dell/b1165nfw
... and 40 more
Published Jun 08, 2020
Tracked Since Feb 18, 2026