Additional vulnerabilities, including ones that can be used in denial of service and remote code execution attacks, also exist in a UPnP library called MiniUPnP. Even though these vulnerabilities have been addressed in MiniUPnP versions released in 2008 and 2009, 14 percent of the Internet-exposed UPnP devices were using the vulnerable MiniUPnP 1.0 version, the Rapid7 researchers said.
Other issues have been identified in the latest version of MiniUPnP, 1.4, but they won't be publicly disclosed until the library's developer releases a patch to address them, they said.
"All told, we were able to identify over 6,900 product versions that were vulnerable through UPnP," Moore said. "This list encompasses over 1,500 vendors and only took into account devices that exposed the UPnP SOAP service to the Internet, a serious vulnerability in and of itself."
Belkin, Cisco, Netgear, D-Link and Asus, which all have vulnerable devices according to lists published by Rapid7, did not immediately respond to requests for comment sent Tuesday.
Moore believes that in most cases networked devices that are no longer being sold will not be updated and will remain exposed to remote attacks indefinitely unless their owners manually disable the UPnP functionality or replace them.
"These findings prove that too many vendors still haven't learned the basics of designing devices that default to a secure and robust configuration," said Thomas Kristensen, chief security officer at vulnerability research and management firm Secunia. "Devices that are intended for direct Internet connections should not run any services on their public interfaces by default, particularly not services like UPnP, which are solely intended for local 'trusted' networks."
Kristensen believes that many of the vulnerable devices are likely to remain unpatched until they are replaced, even if their manufacturers release firmware updates.
Many PC users don't even update PC software that they frequently use and are familiar with, he said. The task of finding the Web interface of a vulnerable networked device, obtaining the firmware update and going through the whole update process will likely be too intimidating for many users, he said.
The Rapid7 research paper includes security recommendations for Internet service providers, businesses and home users.