Service:
ssdp
Protocol:
UDPPort:
1900Used for:
Port 1900 (UDP) is used by SSDP, a network discovery protocol that allows devices to find each other and advertise services on local networks.Why It’s Open
Port 1900 (UDP) is used by SSDP, a network discovery protocol that allows devices to find each other and advertise services on local networks. SSDP is part of UPnP (Universal Plug and Play) and is commonly enabled on smart TVs, printers, routers, IoT devices, Windows systems, and media servers. It listens on 1900/UDP for multicast requests to 239.255.255.250.
Common Risks
While SSDP is useful on local networks, exposing port 1900 to external or untrusted networks can lead to several serious risks:
- SSDP Reflection/Amplification Attacks
SSDP is frequently abused in DDoS attacks. A small spoofed request can generate a large response to a victim. - Information Disclosure
Responses may reveal device names, types, firmware versions, and internal IPs—useful for fingerprinting and targeting. - Exposure of UPnP Services
Devices may expose management interfaces or allow external control via NAT traversal mechanisms (e.g., port forwarding). - Attack Surface for IoT/Embedded Devices
Poorly secured IoT devices running SSDP may be exploited or used in botnets like Mirai.
Want to save time on reporting?
Let PentestPad generate, track, and export your reports - automatically.
Enumeration & Testing
Check if it’s open
nmap -sU -p 1900Send SSDP discovery request:
echo -ne "M-SEARCH * HTTP/1.1\r\nHOST:239.255.255.250:1900\r\nMAN:\"ssdp:discover\"\r\nMX:1\r\nST:ssdp:all\r\n\r\n" | nc -u -w 2 1900Use Metasploit auxiliary scanner:
use auxiliary/scanner/upnp/ssdp_msearchWhat to Look For
| Checkpoint | What it means |
|---|---|
| Port 1900 open externally | SSDP service may be reachable from the internet |
| Devices responding with info | Indicates possible info disclosure (device model, IP, etc.) |
| UPnP enabled on router | May allow external port mapping (security risk) |
| High response amplification | Target for DDoS reflection attacks |
Mitigation
- Block UDP/1900 on Perimeter
Prevent external access to SSDP by filtering incoming traffic to port 1900. - Disable SSDP/UPnP Where Unneeded
Especially on routers and internet-facing devices. - Segment and Monitor IoT Devices
Isolate devices running SSDP on separate VLANs and log traffic to/from port 1900. - Patch Firmware and Devices
Many embedded devices running SSDP are vulnerable due to outdated or abandoned firmware. - Rate Limit Internal Broadcasts
If used in LAN environments, control excessive SSDP traffic using switch/router controls.
Known CVEs and Exploits
- CVE-2013-0229 – Vulnerability in MiniUPnPd allowing command execution via SSDP.
- CVE-2018-20062 – Unauthorized access via UPnP SSDP responses.
- CVE-2019-12106 – Buffer overflow in SSDP parser (Netgear devices).
- SSDP DDoS Reflection Exploit (US-CERT) – Advisory for SSDP abuse in DDoS attacks.