Between June 1 and Nov. 17, 2012, Rapid7 conducted weekly scans that sent simple service discovery protocUPnPol SSDP requests to each routable IPv4 address. In all, 2.2 percent of all public IPv4 addresses responded to the standard UPnP discovery requests. So, 81 million unique IP addresses responded and, upon deeper probing, researchers determined some 17 million further systems exposed the UPnP simple object access protocol SOAP. This level of exposure was far higher than researchers had expected, according to the report.

via 50 Million Potentially Vulnerable to UPnP Flaws | threatpost.