Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-21300

CVE-2025-21300: Windows 10 1507 UPnP DoS Vulnerability

CVE-2025-21300 is a denial of service vulnerability in Windows Universal Plug and Play Device Host affecting Windows 10 1507. Attackers can exploit this flaw to disrupt system availability. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2025-21300 Overview

CVE-2025-21300 is a Denial of Service vulnerability affecting the Windows Universal Plug and Play (UPnP) Device Host service across a wide range of Microsoft Windows operating systems. The UPnP Device Host service enables automatic network device discovery and connectivity, making it a critical component in enterprise and home network environments. This vulnerability allows remote attackers to cause service disruption without requiring authentication or user interaction.

Critical Impact

Remote attackers can exploit this vulnerability to cause denial of service conditions on Windows systems running the UPnP Device Host service, potentially disrupting network device discovery and connectivity across affected environments.

Affected Products

  • Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
  • Microsoft Windows 11 (versions 22H2, 23H2, 24H2)
  • Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, 2022 23H2, and 2025

Discovery Timeline

  • January 14, 2025 - CVE-2025-21300 published to NVD
  • February 13, 2026 - Last updated in NVD database

Technical Details for CVE-2025-21300

Vulnerability Analysis

This vulnerability is classified as CWE-400: Uncontrolled Resource Consumption, indicating that the UPnP Device Host service fails to properly limit resource allocation when processing network requests. The flaw can be exploited remotely over the network without any authentication or user interaction, making it accessible to any attacker with network access to the vulnerable service.

The attack can be launched against any Windows system where the UPnP Device Host service is enabled and accessible over the network. Given the widespread use of UPnP for automatic device discovery in both enterprise and consumer environments, the potential attack surface is significant.

Root Cause

The root cause of CVE-2025-21300 lies in improper resource consumption handling within the Windows UPnP Device Host service. When processing specially crafted network requests, the service fails to implement adequate controls on resource allocation, allowing an attacker to exhaust system resources and cause a denial of service condition.

Attack Vector

The vulnerability is exploitable over the network without requiring any privileges or user interaction. An attacker can send malicious network traffic to the UPnP Device Host service, triggering resource exhaustion that results in service unavailability. The attack does not compromise data confidentiality or integrity but directly impacts system availability.

The exploitation scenario involves an attacker identifying systems with the UPnP Device Host service accessible on the network, then sending crafted requests designed to trigger the resource exhaustion condition. This can affect network device discovery functionality and potentially impact dependent services.

Detection Methods for CVE-2025-21300

Indicators of Compromise

  • Unusual network traffic patterns targeting UPnP service ports (typically UDP 1900 for SSDP)
  • Abnormal resource consumption by the upnphost service or svchost.exe processes handling UPnP
  • System event logs showing UPnP Device Host service crashes or restarts
  • Network monitoring alerts for high-volume SSDP or UPnP protocol traffic from external sources

Detection Strategies

  • Monitor for anomalous spikes in network traffic to UPnP-related ports, particularly UDP port 1900
  • Implement network intrusion detection rules for malformed or high-frequency UPnP/SSDP requests
  • Configure endpoint detection to alert on unexpected UPnP Device Host service terminations or resource spikes
  • Deploy SentinelOne agents to detect behavioral anomalies associated with DoS exploitation attempts

Monitoring Recommendations

  • Enable Windows Event Log monitoring for UPnP Device Host service events and failures
  • Configure network flow analysis to baseline normal UPnP traffic and alert on deviations
  • Implement SIEM correlation rules to detect potential DoS attack patterns against Windows services
  • Monitor system resource utilization for signs of resource exhaustion attacks

How to Mitigate CVE-2025-21300

Immediate Actions Required

  • Apply the latest Microsoft security updates from the January 2025 Patch Tuesday release
  • Restrict network access to UPnP services using firewall rules where the service is not required
  • Disable the UPnP Device Host service on systems where automatic device discovery is not needed
  • Implement network segmentation to limit exposure of UPnP services to trusted networks only

Patch Information

Microsoft has released security updates to address this vulnerability as part of their regular patch cycle. Organizations should consult the Microsoft Security Update Guide for CVE-2025-21300 for detailed patch information, including specific KB articles for each affected Windows version. The security updates should be applied through Windows Update, WSUS, or Microsoft Update Catalog based on your organization's patch management processes.

Workarounds

  • Disable the UPnP Device Host service via Services management console (services.msc) on systems that do not require UPnP functionality
  • Block UDP port 1900 and TCP port 2869 at network firewalls to prevent external UPnP access
  • Use Windows Firewall rules to restrict UPnP service access to trusted internal networks only
  • Consider disabling SSDP Discovery service in conjunction with UPnP Device Host if network discovery is not required
bash
# Disable UPnP Device Host service via PowerShell
Set-Service -Name "upnphost" -StartupType Disabled
Stop-Service -Name "upnphost" -Force

# Disable SSDP Discovery service
Set-Service -Name "SSDPSRV" -StartupType Disabled
Stop-Service -Name "SSDPSRV" -Force

# Windows Firewall rule to block external UPnP access
New-NetFirewallRule -DisplayName "Block External UPnP" -Direction Inbound -Protocol UDP -LocalPort 1900 -RemoteAddress "!LocalSubnet" -Action Block

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.