CVE-2025-21300 Overview
CVE-2025-21300 is a Denial of Service vulnerability affecting the Windows Universal Plug and Play (UPnP) Device Host service across a wide range of Microsoft Windows operating systems. The UPnP Device Host service enables automatic network device discovery and connectivity, making it a critical component in enterprise and home network environments. This vulnerability allows remote attackers to cause service disruption without requiring authentication or user interaction.
Critical Impact
Remote attackers can exploit this vulnerability to cause denial of service conditions on Windows systems running the UPnP Device Host service, potentially disrupting network device discovery and connectivity across affected environments.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 22H2, 23H2, 24H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- January 14, 2025 - CVE-2025-21300 published to NVD
- February 13, 2026 - Last updated in NVD database
Technical Details for CVE-2025-21300
Vulnerability Analysis
This vulnerability is classified as CWE-400: Uncontrolled Resource Consumption, indicating that the UPnP Device Host service fails to properly limit resource allocation when processing network requests. The flaw can be exploited remotely over the network without any authentication or user interaction, making it accessible to any attacker with network access to the vulnerable service.
The attack can be launched against any Windows system where the UPnP Device Host service is enabled and accessible over the network. Given the widespread use of UPnP for automatic device discovery in both enterprise and consumer environments, the potential attack surface is significant.
Root Cause
The root cause of CVE-2025-21300 lies in improper resource consumption handling within the Windows UPnP Device Host service. When processing specially crafted network requests, the service fails to implement adequate controls on resource allocation, allowing an attacker to exhaust system resources and cause a denial of service condition.
Attack Vector
The vulnerability is exploitable over the network without requiring any privileges or user interaction. An attacker can send malicious network traffic to the UPnP Device Host service, triggering resource exhaustion that results in service unavailability. The attack does not compromise data confidentiality or integrity but directly impacts system availability.
The exploitation scenario involves an attacker identifying systems with the UPnP Device Host service accessible on the network, then sending crafted requests designed to trigger the resource exhaustion condition. This can affect network device discovery functionality and potentially impact dependent services.
Detection Methods for CVE-2025-21300
Indicators of Compromise
- Unusual network traffic patterns targeting UPnP service ports (typically UDP 1900 for SSDP)
- Abnormal resource consumption by the upnphost service or svchost.exe processes handling UPnP
- System event logs showing UPnP Device Host service crashes or restarts
- Network monitoring alerts for high-volume SSDP or UPnP protocol traffic from external sources
Detection Strategies
- Monitor for anomalous spikes in network traffic to UPnP-related ports, particularly UDP port 1900
- Implement network intrusion detection rules for malformed or high-frequency UPnP/SSDP requests
- Configure endpoint detection to alert on unexpected UPnP Device Host service terminations or resource spikes
- Deploy SentinelOne agents to detect behavioral anomalies associated with DoS exploitation attempts
Monitoring Recommendations
- Enable Windows Event Log monitoring for UPnP Device Host service events and failures
- Configure network flow analysis to baseline normal UPnP traffic and alert on deviations
- Implement SIEM correlation rules to detect potential DoS attack patterns against Windows services
- Monitor system resource utilization for signs of resource exhaustion attacks
How to Mitigate CVE-2025-21300
Immediate Actions Required
- Apply the latest Microsoft security updates from the January 2025 Patch Tuesday release
- Restrict network access to UPnP services using firewall rules where the service is not required
- Disable the UPnP Device Host service on systems where automatic device discovery is not needed
- Implement network segmentation to limit exposure of UPnP services to trusted networks only
Patch Information
Microsoft has released security updates to address this vulnerability as part of their regular patch cycle. Organizations should consult the Microsoft Security Update Guide for CVE-2025-21300 for detailed patch information, including specific KB articles for each affected Windows version. The security updates should be applied through Windows Update, WSUS, or Microsoft Update Catalog based on your organization's patch management processes.
Workarounds
- Disable the UPnP Device Host service via Services management console (services.msc) on systems that do not require UPnP functionality
- Block UDP port 1900 and TCP port 2869 at network firewalls to prevent external UPnP access
- Use Windows Firewall rules to restrict UPnP service access to trusted internal networks only
- Consider disabling SSDP Discovery service in conjunction with UPnP Device Host if network discovery is not required
# Disable UPnP Device Host service via PowerShell
Set-Service -Name "upnphost" -StartupType Disabled
Stop-Service -Name "upnphost" -Force
# Disable SSDP Discovery service
Set-Service -Name "SSDPSRV" -StartupType Disabled
Stop-Service -Name "SSDPSRV" -Force
# Windows Firewall rule to block external UPnP access
New-NetFirewallRule -DisplayName "Block External UPnP" -Direction Inbound -Protocol UDP -LocalPort 1900 -RemoteAddress "!LocalSubnet" -Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
