CVE-2020-12695

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

• CWE-276

• http://packetstormsecurity.com/files/158051/CallStranger-UPnP-Vulnerability-Checker.htmlThird Party Advisory, VDB Entry
• http://www.openwall.com/lists/oss-security/2020/06/08/2Mailing List, Third Party Advisory
• https://corelight.blog/2020/06/10/detecting-the-new-callstranger-upnp-vulnerability-with-zeek/Third Party Advisory
• https://github.com/corelight/callstranger-detectorThird Party Advisory
• https://github.com/yunuscadirci/CallStrangerThird Party Advisory
• https://lists.debian.org/debian-lts-announce/2020/08/msg00011.htmlThird Party Advisory
• https://lists.debian.org/debian-lts-announce/2020/08/msg00013.htmlThird Party Advisory
• https://lists.debian.org/debian-lts-announce/2020/12/msg00017.htmlThird Party Advisory
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3SHL4LOFGHJ3DIXSUIQELGVBDJ7V7LB/Mailing List, Third Party Advisory
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZDWHKGN3LMGSUEOAAVAMOD3IUIPJVOJ/Mailing List, Third Party Advisory
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQEYVY4D7LASH6AI4WK3IK2QBFHHF3Q2/Mailing List, Third Party Advisory
• https://usn.ubuntu.com/4494-1/Third Party Advisory
• https://www.callstranger.comBroken Link
• https://www.debian.org/security/2020/dsa-4806Third Party Advisory
• https://www.debian.org/security/2021/dsa-4898Third Party Advisory
• https://www.kb.cert.org/vuls/id/339275Third Party Advisory, US Government Resource
• https://www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-ofThird Party Advisory
• http://packetstormsecurity.com/files/158051/CallStranger-UPnP-Vulnerability-Checker.htmlThird Party Advisory, VDB Entry
• http://www.openwall.com/lists/oss-security/2020/06/08/2Mailing List, Third Party Advisory
• https://corelight.blog/2020/06/10/detecting-the-new-callstranger-upnp-vulnerability-with-zeek/Third Party Advisory
• https://github.com/corelight/callstranger-detectorThird Party Advisory
• https://github.com/yunuscadirci/CallStrangerThird Party Advisory
• https://lists.debian.org/debian-lts-announce/2020/08/msg00011.htmlThird Party Advisory
• https://lists.debian.org/debian-lts-announce/2020/08/msg00013.htmlThird Party Advisory
• https://lists.debian.org/debian-lts-announce/2020/12/msg00017.htmlThird Party Advisory
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3SHL4LOFGHJ3DIXSUIQELGVBDJ7V7LB/Mailing List, Third Party Advisory
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZDWHKGN3LMGSUEOAAVAMOD3IUIPJVOJ/Mailing List, Third Party Advisory
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQEYVY4D7LASH6AI4WK3IK2QBFHHF3Q2/Mailing List, Third Party Advisory
• https://usn.ubuntu.com/4494-1/Third Party Advisory
• https://www.callstranger.comBroken Link
• https://www.debian.org/security/2020/dsa-4806Third Party Advisory
• https://www.debian.org/security/2021/dsa-4898Third Party Advisory
• https://www.kb.cert.org/vuls/id/339275Third Party Advisory, US Government Resource
• https://www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-ofThird Party Advisory

Published

Jun 8, 2020

Last Modified

Jun 17, 2026

Status

Modified