I know uPnP sounds scary when you first read how it works, but the security liability of it is overblown. The thing is, for something to be behind your router forwarding ports in past the NAT you have to already be executing arbitrary code on that system. So in theory yes, you could go forward in ports to common windows services hoping the system is not updated and can then be hit by an OS or other listening service vulnerability, or possibly point that forward to other IPs in the network. But why WOULD you do that? You're already on the system, executing arbitrary code. Just perform a direct outbound connection to your C&C server (since there's not going to be any outbound filtering or monitoring anyway), pull down more malicious payloads, and use that foothold to directly replicate to anything you can behind the router. It just doesn't make sense to try to exploit uPnP because you're already in and there is nothing to be gained from it. Sure, disable it for business or public wifi networks but for home use the benefit and convenience far outweigh the non-existent security issue. Home systems are going to be a liability but there are a few things you can do to address it. Some VPN products have client-based health check agents that can verify that they are at least complying with your security/update policies which reduces the likelihood of the system being compromised. Or you can severely restrict the ports/IPs that the system can access through the VPN tunnel once it is connected, minimizing the exposure to the network on the other side. Or you funnel all connections in through remote sessions on trusted equipment (RDP, PCoIP, VPN, Citrix, Whatever) and reduce that system at home to a glorified fat-client. Or probably a combination of all three. Worrying about uPnP at this point is missing the forest for the trees.