DefenseCode researchers have discovered a critical security vulnerability that allows remote unauthenticated attacker to remotely execute arbitrary code under root privileges in the UPnP (Universal Plug and Play) implementation developed by Broadcom and used by many routers with Broadcom chipsets.

Routers with vulnerable Broadcom UPnP stack are mostly based on Broadcom chipset. "We have found that, in fact, same vulnerable firmware component is also used in at least two other Cisco Linksys models - WRT54G3G and probably WRT310N. Could be others." researchers said.

The vulnerability is located within the wanipc and wanppp modules of the Broadcom UPnP stack, which is used by manufacturers that deliver routers based on the Broadcom chipset. The UPnP service is intended to be used on local networks, but Rapid7 found that there are over 80 million devices on the Internet that respond to UPnP discovery requests, making them vulnerable to remote attacks.

The vulnerability can be exploited to read the memory of a device that uses the vulnerable Broadcom UPnP stack or to write arbitrary values at arbitrary addresses in its memory.

Full exploit was previously demonstrated in a video on Cisco Linksys WRT54GL, that is also based on Broadcom UPnP stack. DefenseCode hasn't compiled a complete list with affected router models, but believes that some devices from Broadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear, USRobotics and other vendors probably use the vulnerable Broadcom UPnP stack.