CVE-2025-21300 in Windowsinfo

Summary

by MITRE • 01/14/2025

Windows Universal Plug and Play (UPnP) Device Host Denial of Service Vulnerability

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 02/14/2026

The Windows Universal Plug and Play UPnP Device Host vulnerability represents a critical denial of service weakness that affects the core UPnP functionality within Microsoft Windows operating systems. This vulnerability resides in the UPnP Device Host service which is responsible for managing and facilitating communication between network devices through the UPnP protocol. The flaw specifically manifests when the service processes malformed or specially crafted UPnP control requests that are designed to exploit memory handling issues within the device host component. The vulnerability impacts multiple Windows versions including Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022, making it particularly concerning for enterprise environments where UPnP services are commonly enabled. The UPnP protocol is widely used for automatic network device discovery and configuration, making this vulnerability a potential vector for attackers to disrupt network services and device connectivity across enterprise and consumer networks.

The technical exploitation of this vulnerability occurs through the manipulation of UPnP control messages that are sent to the UPnP Device Host service. When the service receives these malformed packets, it fails to properly validate the incoming data structure, leading to memory corruption that ultimately results in a service crash or system hang. The flaw is classified as a buffer over-read condition where the UPnP Device Host service attempts to access memory locations beyond the allocated buffer boundaries. This type of vulnerability is categorized under CWE-129 as Improper Validation of Array Index and falls under the broader category of memory safety issues that have been extensively documented in the cybersecurity community. The vulnerability can be triggered remotely through network-based attacks, requiring no authentication or user interaction, making it particularly dangerous for networked environments. Attackers can craft malicious UPnP control requests that cause the service to consume excessive system resources or execute invalid memory operations that lead to system instability.

The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise entire network infrastructures where UPnP is enabled. Organizations that rely on UPnP for device discovery and automatic configuration may experience widespread service outages when this vulnerability is exploited, affecting everything from home networks to enterprise device management systems. The denial of service condition can persist until the affected service is manually restarted or the system is rebooted, creating extended downtime periods that can significantly impact business operations. Network administrators may observe frequent service crashes, intermittent connectivity issues, and overall degradation of network performance as the vulnerable service repeatedly fails and restarts. The vulnerability also creates opportunities for more sophisticated attacks as attackers can use the service disruption to mask other malicious activities or to gain further access to compromised systems. From an attack surface perspective, this vulnerability aligns with ATT&CK technique T1499.004 which involves network denial of service attacks, and T1566.001 which covers spearphishing with social engineering, as attackers may use this vulnerability as part of broader attack campaigns.

Mitigation strategies for this vulnerability should focus on both immediate remediation and long-term network security improvements. Microsoft has released security updates that address this vulnerability through patches that improve input validation and memory handling within the UPnP Device Host service. Organizations should prioritize applying these patches immediately to all affected systems, particularly in enterprise environments where network devices rely heavily on UPnP functionality. Network segmentation and firewall rules can be implemented to restrict UPnP traffic between network segments, reducing the attack surface and limiting the potential impact of exploitation. Disabling UPnP services where they are not required provides an additional layer of protection, though this may impact legitimate device discovery and configuration processes. Monitoring and logging of UPnP traffic can help detect potential exploitation attempts, and security information and event management systems should be configured to alert on unusual service behavior or frequent restarts of the UPnP Device Host service. Additionally, implementing network access control measures and regular vulnerability assessments can help identify systems that may be running vulnerable versions of Windows or have UPnP enabled inappropriately, ensuring comprehensive protection against this and similar vulnerabilities.

Responsible

Microsoft

Disclosure

01/14/2025

Moderation

accepted

CPE

ready

EPSS

0.02440

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!