cbcvebase.
CVE-2005-3644
published 2005-11-17

CVE-2005-3644: PNP_GetDeviceList (upnp_getdevicelist) in UPnP for Microsoft Windows 2000 SP4 and earlier, and possibly Windows XP SP1 and earlier, allows remote attackers to…

PriorityP345high7.8CVSS 2.0
AVNACLAuNCNINAC
EXPLOIT
EPSS
47.13%
98.7th percentile
PNP_GetDeviceList (upnp_getdevicelist) in UPnP for Microsoft Windows 2000 SP4 and earlier, and possibly Windows XP SP1 and earlier, allows remote attackers to cause a denial of service (memory consumption) via a DCE RPC request that specifies a large output buffer size, a variant of CVE-2006-6296, and a different vulnerability than CVE-2005-2120.

Detection & IOCsextracted from sources · hover to see the quote

port445
path\\<target>\IPC$
commandOpNum 0x0A (PNP_GetDeviceList / upnp_getdevicelist)
bytes
\x10\x10\x10\x10 (large output buffer size field in DCE RPC PNP_GetDeviceList request)
  • Detect DCE RPC requests over SMB (port 445) targeting the UPnP/PNP interface (OpNum 0x0A, PNP_GetDeviceList) with an abnormally large output buffer size field (e.g., 0x10101010) in the request payload.
  • The exploit connects via TCP port 445, performs a Null Session SMB authentication, opens the \PIPE\ named pipe, binds to the UPnP DCE RPC interface, then sends the malicious PNP_GetDeviceList request — the full SMB session setup sequence to IPC$ with a subsequent DCE RPC bind is a detectable pattern.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.