• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Hacking
  • NAT-PMP Protocol Vulnerability affects more than 1.2 Million SOHO devices

NAT-PMP Protocol Vulnerability affects more than 1.2 Million SOHO devices

Pierluigi Paganini October 24, 2014

Security researchers at Rapid7 have discovered a serious NAT-PMP Protocol vulnerability that puts 1.2 Million SOHO routers at risk.

Another serious security flaw is threatening more than 1.2 million SOHO Routers worldwide, the vulnerability is related to the “improper NAT-PMP protocol implementations and configuration flaws“, as explained by Jon Hart, a researcher at Rapid7.

Hart explained the that the security issued  was discovered by the researchers after a scan of the public Internet as part of Project Sonar, which is an ongoing  study on public Internet-facing websites and devices.

The exploitation of the vulnerability allows an attacker to conduct many malicious activities, most serious and dangerous among them being the ability to redirect traffic to a website controlled by the attackers.

In reality, as reported by Rapid7 CSO HD Moore, the Metasploit framework already includes modules to run attacks exploiting NAT-PMP vulnerabilities, the principal problem according to the expert is that the scan did not help Rapid7 to identify the specific products affected by the flaw.

nat-pmp metasploit

As anticipated the options are different, threat actors could cause a denial-of-service condition of the targeted device, could provide the access to the device settings and to the internal NAT client services.

What is the NAT-PMP?

NAT-PMP is technologies that allows, among other things, Internet applications to configure SOHO routers and gateways, bypassing manual port forwarding configuration. NAT-PMP runs over UDP port 5351 and automates the process of port forwarding. It is used by many networking devices to allow external users access to resources behind a NAT.

nat-pmp protocol

The NAT-PMP protocol is widespread due to its simplicity, but as highlighted by Hart it requires careful configuration to avoid serious problems. During the scanning activity, the experts noticed nearly 1.2 million devices on the public Internet that responded to their external NAT-PMP solicitations. The responses provided represent two categories of security vulnerabilities:

  • malicious port mapping manipulation.
  • information disclosure about the NAT-PMP device.

The analysis published by Hart detailed the following specific security:

  • Interception of Internal NAT Traffic: ~30,000 (2.5% of responding devices)
  • Interception of External Traffic: ~1.03m (86% of responding devices)
  • Access to Internal NAT Client Services: ~1.06m (88% of responding devices)
  • DoS Against Host Services: ~1.06m (88% of responding devices)
  • Information Disclosure about the NAT-PMP device: ~1.2m (100% of responding devices)

Moore explained that the interception of external traffic is a very serious issue:

“That will allow someone running a malware command and control kit or something like that to turn your system into a reverse proxy serving malicious traffic, start hosting malicious site on your router’s IP,” said Moore,  “The way they do that is from the malicious system to flip the mapping back to you from all these vulnerable routers. And because of the way the protocol works, you don’t have to actually know where these devices are. You can literally spray them out across the ether.”

Hart explained vulnerable devices are not compliant with the RFC 6886 specification, which states that a NAT gateway must not be configured to accept mapping requests for the external IP address it has on the Internet.

“The NAT gateway MUST NOT accept mapping requests destined to the NAT gateway’s external IP address or received on its external network interface.  Only packets received on the internal interface(s) with a destination address matching the internal address(es) of the NAT gateway should be allowed.” the specification says. 

Hart also added that traffic meant for the device running NAT-PMP internal interface is less likely at risk yet it can be redirected off the network to a service controlled by the attackers.

“This attack can also be used to cause the NAT-PMP device to respond to and forward traffic for services it isn’t even listening on,” Hart wrote. “For example, if the NAT-PMP device does not have a listening HTTP service on the external interface, this same flaw could be used to redirect inbound HTTP requests to another external host, making it appear that HTTP content hosted on the external host is hosted by the NAT-PMP device.”

Security researchers close the post with a series of recommendations for vendors, ISPs and final users.

” Vendors producing products with NAT-PMP capabilities should take care to ensure that flaws like the ones disclosed in this document are not possible in normal and perhaps even abnormal configurations. ISPs and entities that act like ISPs should take care to ensure that the access devices provided to customers are similarly free from these flaws.  Lastly, for consumers with NAT-PMP capable devices on your network, your should ensure that all NAT-PMP traffic is prohibited on un-trusted network interfaces.”

Pierluigi Paganini

(Security Affairs – NAT-PMP, hacking)


facebook linkedin twitter

Denial of Service Hacking NAT-PMP RFC 6886 SOHO Routers

you might also like

Pierluigi Paganini July 07, 2025
U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 05, 2025
North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    IT Worker arrested for selling access in $100M PIX cyber heist

    Cyber Crime / July 08, 2025

    New Batavia spyware targets Russian industrial enterprises

    Uncategorized / July 07, 2025

    Taiwan flags security risks in popular Chinese apps after official probe

    Security / July 07, 2025

    U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 07, 2025

    Hunters International ransomware gang shuts down and offers free decryption keys to all victims

    Cyber Crime / July 06, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT