UPnP: Automatic Port Forwarding (and Its Risks)

Universal Plug and Play (UPnP) solves a real problem: most people don't know how to configure port forwarding, and they shouldn't have to. When your gaming console needs incoming connections for multiplayer, or your media server needs to be reachable from outside your home, UPnP handles it automatically. No router login, no port numbers, no confusion.

The tradeoff is significant. UPnP is a protocol that says yes. Any device on your network can ask your router to open a port to the Internet, and the router just... does it. No password. No approval. No questions asked.

How It Works

UPnP is a set of protocols that lets devices discover each other and configure network services automatically. The piece that matters for home networks is the Internet Gateway Device (IGD) protocol, which handles automatic port forwarding.

When an application needs incoming connections from the Internet, it sends a discovery message on your local network. Your router responds, identifying itself as the gateway. The application then sends a request: "Forward external port 25565 to my internal IP address on port 25565, protocol TCP."

The router creates the rule immediately. No authentication. No user prompt. No approval workflow.

Applications can set a lease time so rules expire automatically, preventing orphaned port mappings from accumulating when programs crash or get uninstalled. But the fundamental behavior remains: ask, and you shall receive.

Why It Was Designed This Way

The protocol emerged in the late 1990s when a simple assumption held: if you're on the local network, you're trusted.

That assumption made sense then. The devices on your home network were your devices—a computer or two, maybe a printer. Being on the local network meant being physically in the house, which meant being someone who belonged there. The local network was a trust boundary.

UPnP traded authentication for convenience, and for years that seemed reasonable. If you're inside the house, connected to the network, you're probably authorized to configure it.

Then we started connecting light bulbs to the Internet.

The Security Problem

The assumption shattered. Your local network now includes smart TVs with outdated firmware, IP cameras from manufacturers who went out of business, voice assistants, smart thermostats, connected appliances. Many of these devices have poor security. Some phone home to servers in other countries. Some get compromised and you never know.

UPnP still says yes to all of them.

Malware that infects any device on your network can silently open ports without your knowledge. A compromised smart light bulb can instruct your router to forward a port to itself, creating a backdoor. A trojan on your computer can expose services that should never face the Internet.

Most router interfaces don't distinguish between manually created port forwarding rules and ones created by UPnP. You have no easy way to know what's open or why.

Worse, many routers have had bugs where UPnP requests could be sent from the Internet side, letting attackers remotely reconfigure your router without ever touching your local network. Security researchers regularly find these implementation flaws. They get patched. New ones appear.¹

The Mirai botnet and its variants exploited vulnerable devices to build massive attack networks. Research by Akamai found over 277,000 devices running vulnerable UPnP implementations, with more than 45,000 confirmed as compromised in their UPnProxy campaign.² CISA—the U.S. Cybersecurity and Infrastructure Security Agency—explicitly recommends disabling UPnP as protection against botnet infections.³

The Expert Position

Security professionals have recommended disabling UPnP for years. The reasoning is simple: UPnP assumes local network traffic is trusted, that assumption is no longer valid, and the protocol provides no way to add trust verification without breaking compatibility.

You can't fix UPnP. You can only turn it off.

When UPnP Makes Sense

For non-technical users who need things to work and can't configure port forwarding manually, UPnP might still be the practical choice. A network with UPnP enabled is probably safer than one where a frustrated user disabled the firewall entirely because they couldn't get their game to connect.

If you use UPnP:

• Keep router firmware updated. Manufacturers patch UPnP vulnerabilities regularly.
• Run security software on all devices. Since UPnP requests come from your local network, endpoint protection provides a defense layer.
• Periodically check your router's port forwarding table. Look for rules you don't recognize.

Some users enable UPnP only when needed—turning it on to set up a game or application, then disabling it afterward.

When to Disable It

Business networks should never use UPnP. Implement proper network architecture with manual port forwarding or VPN access.

Networks with many IoT devices are high-risk. If your network includes IP cameras, smart appliances, or devices from manufacturers with questionable security practices, disable UPnP.

Users comfortable with basic router configuration should disable UPnP and manually forward ports for applications that need them. This gives you complete visibility into what's exposed.

For gaming consoles that benefit from UPnP, consider network segmentation—place them on a separate network segment where a compromise can't reach your main devices.

The Tradeoff

UPnP is a protocol from a more trusting era, still running in a world that broke its assumptions. It makes home networking easier by removing authentication from port forwarding. That's both its value and its vulnerability.

The decision comes down to your situation. How technical are you? What devices share your network? What's the cost of a compromise versus the cost of manual configuration?

Understanding what UPnP actually does—letting any local device open ports without approval—makes the decision clearer. The question isn't whether UPnP is good or bad. The question is whether saying yes to everything is acceptable on your network.

Sources