Is upnp safe or does it have vulnerabilities?
In today's world, on equipment that is properly updated to the latest software/firmware, is UPnP still insecure, or have its vulnerabilities been fixed?
I was looking for more information on wikipedia and got to know that Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functional network services. UPnP is intended primarily for residential networks without enterprise-class devices.
The UPnP protocols were promoted by the UPnP Forum, a computer industry initiative to enable simple and robust connectivity to standalone devices and personal computers from many different vendors. The Forum consisted of more than 800 vendors involved in everything from consumer electronics to network computing. Since 2016, all UPnP efforts have been managed by the Open Connectivity Foundation (OCF).
Why is UPnP safe Or unsafe anyway?
UPnP's bad name comes from implementation issues found in 2011-2013. It's like saying email is insecure and should be disabled because someone found a common issue in multiple email clients some years ago. I always disabled UPnP because everyone said so. Now that I looked into it, it turns out to be silly. When UPnP was new, some devices were found to allow configuration from the Internet. Anyone could open any port on it. Since then, router vendors had plenty of time to fix their software. Security is a much bigger thing now than it was in 2011 (that's about the time when the first iPad was released), so vendors are more aware of security issues. For older routers, if they were vulnerable in the first place, a firmware update has probably been released long ago. What is the purpose of UPnP?
UPnP is a solution to an issue that is created by having too few IP addresses. Because not everyone can have their own, we need to share them. The way we do this is by Network Address Translation (NAT): your consumer router translates between your local network (for example 192.168.x.x) and your public IP address (for example 278.14.1.48). Peer to peer applications such as file sharing, calling or video calling, distributing updates (Windows, Google Play), anonymity networks, resilient mesh networks, etc. all cannot function through NAT, so we have to either disable it for specific applications (using port forwarding), or find workarounds (such as UDP/TCP hole punching, STUN, etc.). The UPnP protocol is what an application uses to tell the router that it would like to disable NAT for an application. It's basically automatic port forwarding. Not enabling UPnP means we need workarounds instead of being able to have peer to peer communication. Software developers that hope to make a profit off of you will spend money on running servers to keep those workarounds functional for you, but free software often does not have such luxuries and cannot function without either UPnP, or you forwarding the port manually.
Then why are the others saying "Yes, it's insecure by design"? (Spoiler: they are wrong.)
Because NAT is ubiquitous in IPv4, many people started to rely on it for security: because you cannot reach individual hosts inside the network, vulnerabilities cannot be exploited from the outside, and people started turning off security measures inside their LAN. They neglected doing security updates and opened file shares without passwords (because nobody ever takes their laptop outside their LAN, right?), so now you need a firewall that is outside of your laptop, for example in your router. Combine this with the idea that UPnP can open ports, and you get misinformed answers such as the previously top-voted answer. Ask yourself: what makes that UPnP request to your router to open a port? It has to be something inside your network. For example, malware could tell the router to open it. How terrible! But wait, if you have malware running on your network, and your laptop is not secure... then you are already screwed right? Yes, indeed.
Malware does not need UPnP to reach your local devices: for it to be able to do UPnP, it already needs to be on your device, or inside your network, so it can reach the infernal devices by itself without using UPnP. Or what if a friend brings their smartphone that is infected with malware? It could tell the router to do UPnP to your other devices and expose them. True enough, but again: the malware is already inside your network and can already reach your local devices directly. Conclusion
UPnP is fine to enable if your router is not ancient, or if you installed firmware updates for it (or if it was never vulnerable in the first place).
Even if your router is known to be vulnerable (and you either refuse to install the update or the vendor did not release an update), then it's still not an issue if all devices inside your network have their security updates installed. You should be doing that anyway, as every website that you visit can attack local devices through JavaScript in your browser (particularly if the local device can be exploited via blind HTTP requests), and everyone with access to your WiFi (e.g. through password cracking) could hack them as well. Beware: this includes printers, IP cameras, and other embedded computers that are often forgotten