Other issues have been identified in the latest version of MiniUPnP, 1.4, but they won't be publicly disclosed until the library's developer releases a patch to address them, they said.
"All told, we were able to identify over 6,900 product versions that were vulnerable through UPnP," Moore said. "This list encompasses over 1,500 vendors and only took into account devices that exposed the UPnP SOAP service to the Internet, a serious vulnerability in and of itself."
Belkin, Cisco, Netgear, D-Link and Asus, which all have vulnerable devices according to lists published by Rapid7, did not immediately respond to requests for comment sent Tuesday.
Moore believes that in most cases networked devices that are no longer being sold will not be updated and will remain exposed to remote attacks indefinitely unless their owners manually disable the UPnP functionality or replace them.
"These findings prove that too many vendors still haven't learned the basics of designing devices that default to a secure and robust configuration," said Thomas Kristensen, chief security officer at vulnerability research and management firm Secunia. "Devices that are intended for direct Internet connections should not run any services on their public interfaces by default, particularly not services like UPnP, which are solely intended for local 'trusted' networks."
Kristensen believes that many of the vulnerable devices are likely to remain unpatched until they are replaced, even if their manufacturers release firmware updates.
Many PC users don't even update PC software that they frequently use and are familiar with, he said. The task of finding the Web interface of a vulnerable networked device, obtaining the firmware update and going through the whole update process will likely be too intimidating for many users, he said.
The Rapid7 research paper includes security recommendations for Internet service providers, businesses and home users.
ISPs were advised to push configuration updates or firmware updates to subscriber devices in order to disable UPnP capabilities or to replace those devices with others that are configured in a secure manner and don't expose UPnP to the Internet.
"Home and mobile PC users should ensure that the UPnP function on their home routers and mobile broadband devices has been disabled," the researchers said.
In addition to making sure that no external-facing device exposes UPnP to the Internet, companies were advised to perform a careful review of the potential security impact of all UPnP-capable devices found on their networks -- networked printers, IP cameras, storage systems, etcetera -- and consider segmenting them from the internal network until a firmware update is available from the manufacturer.
Rapid7 released a free tool called ScanNow for Universal Plug and Play, as well as a module for the Metasploit penetration testing framework, that can be used to detect vulnerable UPnP services running inside a network.