UPnP on Your Router Explained: What It Does, When It Helps, and Why Security Experts Recommend Disabling It

If you’ve ever set up a gaming console, a smart home hub, or a media streaming device, you’ve probably benefited from UPnP without knowing it. Universal Plug and Play is the protocol that lets devices on your local network automatically configure your router’s port forwarding — no manual setup required. It’s enabled by default on virtually every consumer router sold today, and it’s also one of the most consistently criticized features in home networking security. Understanding what UPnP does, where it genuinely helps, and why security researchers keep telling you to turn it off is essential for anyone serious about home network security.

What Is UPnP?

Universal Plug and Play is a set of networking protocols that allows devices on the same local network to automatically discover each other and negotiate services — including asking your router to open specific ports to the internet. When a PlayStation 5 wants to host a multiplayer session, it sends a UPnP request to your router asking it to forward a specific port. The router complies automatically, without prompting you or requiring a password. When the session ends, the device (in theory) asks the router to close the port again.

UPnP operates on the assumption that every device on your local network is trustworthy. That assumption is the root of every security problem associated with it.

What UPnP Is Used For

Gaming Consoles and NAT Type

The most common reason home users care about UPnP is NAT type on gaming consoles. PlayStation and Xbox use NAT type labels (Open, Moderate, Strict) to describe how accessible your console is for peer-to-peer game sessions. With UPnP enabled, a PS5 or Xbox Series X can automatically negotiate Open NAT — the most permissive setting — without any manual port forwarding rules. Without UPnP, you need to set up static IP addresses and manually forward specific ports through your router’s admin panel to achieve the same result. Our guide on how to fix Strict NAT type covers both approaches in detail.

Smart Home Devices and Media Servers

Older smart home hubs, Sonos speakers, Plex media servers, and some IP cameras rely on UPnP for local device discovery and external access. Plex, for example, uses UPnP to automatically open the port it needs to stream content to apps outside your home network. Without UPnP, you’d need to manually forward port 32400 through your router and configure a static IP for the Plex server.

Video Conferencing and VoIP

Some VoIP applications and older video conferencing software use UPnP to open the ports needed for direct peer-to-peer audio and video streams. Modern applications like Zoom, Teams, and FaceTime use relay servers and STUN/TURN protocols that bypass the need for UPnP entirely — one reason the protocol matters less than it did a decade ago.

Why UPnP Is a Security Risk

No Authentication

UPnP has no mechanism to verify the identity or legitimacy of a port forwarding request. Any device on your local network — your laptop, your smart TV, your smart lightbulb, or any device compromised by malware — can send a UPnP request and your router will comply without question. There is no password, no approval prompt, and no log entry by default on most routers.

Malware Exploitation

This is where UPnP goes from inconvenient to genuinely dangerous. Malware running on any device inside your network can use the UPnP protocol to instruct your router to open arbitrary ports to the internet, effectively creating a backdoor that bypasses your firewall without triggering any alert. The attacker’s command-and-control server can then communicate directly with the infected device through that port — even if your router would otherwise block unsolicited inbound connections.

The Mirai Botnet, which launched one of the largest DDoS attacks in internet history in 2016, exploited exposed UPnP ports on hundreds of thousands of IoT devices. More recently, the EternalSilence campaign (discovered by Akamai in 2022) found over 65,000 home routers compromised by UPnP-based attacks that embedded malware directly into router firmware. The FBI first recommended disabling UPnP as far back as 2001 — and the guidance hasn’t changed.

Exposed UPnP Services

On some misconfigured routers, the UPnP service itself is exposed to the internet — meaning attackers outside your network can send UPnP commands directly to your router without ever needing to compromise a device inside it first. Tools like Shodan routinely index tens of thousands of routers with internet-facing UPnP endpoints. If your router is on that list, an external attacker can open ports, redirect traffic, and potentially access the router’s admin interface without stepping foot inside your network.

Should You Disable UPnP?

For most home users, yes — disabling UPnP is the right call. The security risk is real and the practical cost is low. Modern gaming relies less on UPnP than it used to: Xbox uses NAT traversal techniques that work without it, PlayStation 5 supports manual port forwarding, and most multiplayer games now use relay servers (TURN) that make direct peer-to-peer port negotiation unnecessary. You’ll need to set up manual port forwarding for any application that previously relied on UPnP, but that’s a one-time task that gives you explicit control over exactly what’s exposed.

If you run a Plex server, self-hosted game server, or other home server application that requires inbound connections, the alternative is straightforward: assign a static local IP to that device and create a manual port forwarding rule in your router. This achieves the same result with full visibility and no automatic openings that malware can abuse.

How to Disable UPnP on Your Router

TP-Link (Archer Series)

Log in to your TP-Link router at 192.168.0.1 or tplinkwifi.net. Go to Advanced > NAT Forwarding > UPnP. Toggle UPnP off and save.

ASUS Routers

Log in at router.asus.com. Navigate to WAN > Basic Config and find the Enable UPnP toggle. Set it to No and click Apply.

Netgear Nighthawk / Orbi

Log in at routerlogin.net. Go to Advanced > Advanced Setup > UPnP. Uncheck “Turn UPnP On” and click Apply.

eero

eero does not provide a user-facing toggle for UPnP in the standard app. eero Pro models allow disabling it via the eero app under Settings > Network Settings > Advanced — look for “UPnP” if your firmware version exposes it. On older or base eero models, UPnP management may require contacting eero support.

Manual Port Forwarding as the Alternative

Once UPnP is off, any device or application that needs specific inbound ports will require a manual port forwarding rule. The process involves three steps: assigning a static local IP address (or a DHCP reservation) to the device, then creating a port forwarding rule in your router that maps the external port to that IP. This is more work up front but gives you a clear, auditable list of exactly which ports are open on your network and which device receives each one. Our guide on fixing Strict NAT type walks through manual port forwarding for PlayStation and Xbox in detail. For home servers and Plex, see your application’s documentation for the specific ports required.

The Bottom Line

UPnP trades security for convenience: it eliminates the need to manually configure port forwarding, but at the cost of allowing any device on your network — including compromised ones — to silently open holes in your firewall without your knowledge. For the majority of home users, the convenience benefit is marginal in 2026 (most modern gaming and streaming platforms work without it), while the security risk is concrete and well-documented. Disable it, set up manual port forwarding for anything that actually needs it, and run a speed test afterward to confirm nothing changed in your normal traffic. You can always re-enable it temporarily if a specific device genuinely requires it.