Improper access control in the Universal Plug and Play component (upnp.dll) permits an authorized local user to read sensitive information that the component holds. The flaw manifests as a breach of the intended confinement of data within the service, allowing a user with access to the machine to obtain system state, network configuration or other confidential data. This is categorized under the access control weakness, CWE‑284.

The vulnerability affects Microsoft Windows operating systems starting with Windows 10 version 1607, through Windows 10 version 22H2, and all major Windows 11 releases including 23H2, 24H2, 25H2, 22H3 and 26H1. Server editions from Windows Server 2012 up to Windows Server 2025, including the 23H2 edition, are also exposed. The flaw exists within the upnp.dll component bundled with these OS releases.

With a CVSS v3.1 score of 5.5 the vulnerability is considered medium severity. The EPSS score is not available, and it is not listed in the CISA KEV catalog, indicating that no widespread exploitation has been observed yet. The flaw requires authentication to the target machine, so only a local user with sufficient privileges can leverage the issue. Attackers would need to launch code from within the user context that the UPNP service processes, after which they can retrieve the exposed data. Overall, the risk is moderate but mitigable with the vendor’s security patch.