Exploit for UPnPHostFileRead

Name: Exploit for UPnPHostFileRead
Rating: 5 (10 reviews)
2026-06-05 | CVSS 5.6
## https://sploitus.com/exploit?id=C1A4B986-0659-5663-B5A2-7E1B10E6D9A2
# Description
Local arbitrary file read PoC exploit for the Windows UPnP Device Host service. Reads an arbitrary file in the context of `LOCAL SERVICE`. Tested against Windows 11 Pro build 26200.8457.

Reported to Microsoft. Assessed as "not a vulnerability".

# How to Build
1. Clone the repository.
2. Build the UPnPHostFileRead solution.

# How to Use
- Run `UPnPHostFileRead.exe SOURCE DESTINATION`.

The `SOURCE` file will be read in the context of `LOCAL SERVICE` and will then be written to `DESTINATION` in the context of the current user.

![Screenshot](poc_1.png)
![Screenshot](poc_2.png)

# Technical Details
Normal users can create an instance of the `UPnPRegistrar` COM object and call the `RegisterRunningDevice` method, which will register a device with a device description XML. This XML can reference an icon, but the reference is vulnerable to path traversal and can be pointed to any file on the system. After registering the device, the referenced file is then exposed by an HTTP service running as `LOCAL SERVICE` and anyone can access the endpoint and download the file.