UPnP

What is UPnP?

UPnP (Universal Plug and Play) is a protocol that lets devices on your home network automatically punch holes in your router's firewall. When a game console, smart TV, or app wants to accept incoming connections from the internet, it can use UPnP to tell your router "open this port for me" without you having to log into the router and configure anything.

Think of your router's firewall as a locked front door. Normally, you decide who gets a key. With UPnP turned on, any device inside the house can hand out keys to anyone outside, no questions asked.

Why it matters

UPnP was designed for convenience, and it delivers on that promise. Game consoles use it so multiplayer works without manual port forwarding. Video chat apps use it for direct peer-to-peer connections. But the problem is that UPnP has no authentication: any device on your network can open any port, and your router will comply without checking whether the request is legitimate.

This becomes dangerous when malware infects a device on your network. The infected device can use UPnP to open a backdoor, letting an attacker reach into your network from the outside. There have been numerous real-world attacks that exploit UPnP, including botnets that turn routers themselves into proxy servers for criminal traffic. Security researchers and organizations like CISA have recommended disabling UPnP for years.

What you can do

• Disable UPnP in your router's settings; it is usually found under "WAN," "Firewall," or "Advanced" settings
• If a game or app stops working after disabling UPnP, set up a manual port forward for just that device and port instead
• Check your router's UPnP port mapping table before disabling it so you know which devices are relying on it
• Keep your router firmware updated, as some older firmware has UPnP vulnerabilities even when UPnP is disabled
• If you run a gaming console that relies heavily on open NAT, consider placing it in a DMZ or using manual port forwarding rather than leaving UPnP on for the whole network
• On business networks, UPnP should always be disabled; there is no legitimate enterprise use case for it

What Network Weather shows you

Network Weather detects whether UPnP is enabled on your router. Because UPnP allows any device on your network to open ports to the internet without authentication, security best practice is to keep it disabled.