Editing Universal Plug and Play (section)

===Callback vulnerability===
On 8 June 2020, yet another protocol design flaw was announced.<ref>{{Cite web|url=https://kb.cert.org/vuls/id/339275|title = CERT/CC Vulnerability Note VU#339275}}</ref> Dubbed "CallStranger"<ref>{{Cite web |url=https://callstranger.com/ |title=CallStranger CVE-2020-12695 |access-date=14 June 2020 |archive-date=16 June 2020 |archive-url=https://web.archive.org/web/20200616122554/https://callstranger.com/ |url-status=dead }}</ref> by its discoverer, it allows an attacker to subvert the event subscription mechanism and execute a variety of attacks: amplification of requests for use in DDoS; enumeration; and data exfiltration.

OCF had published a fix to the protocol specification in April 2020,<ref>{{Cite web|url=https://openconnectivity.org/developer/specifications/upnp-resources/upnp/#architectural|title = OCF - UPnP Standards & Architecture}}</ref> but since many devices running UPnP are not easily upgradable, CallStranger is likely to remain a threat for a long time to come.<ref>{{Cite web|url=https://www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-of|title = CVE-2020-12695: CallStranger Vulnerability in Universal Plug and Play (UPnP) Puts Billions of Devices at Risk|date = 8 June 2020}}</ref> CallStranger has fueled calls for end-users to abandon UPnP because of repeated failures in security of its design and implementation.<ref>{{Cite web|title=Disable UPnP on Your Wireless Router Already|url=https://lifehacker.com/disable-upnp-on-your-wireless-router-already-1844012366|access-date=14 June 2020|website=Lifehacker|date=12 June 2020 |language=en-us}}</ref>