That firmware update notification from your router — the one you dismissed three months ago, then two months ago, then last week — is not a minor convenience patch. It is almost certainly a security update addressing publicly documented vulnerabilities that attackers already know about. Right now, the National Vulnerability Database (NVD) maintained by NIST contains over 230,000 CVEs, and the number grows by approximately 2,000 each month. A significant portion of these affect networking equipment: routers, switches, access points, and the embedded web servers, SSH daemons, and UPnP implementations they run. Your specific router model, running its current firmware version, statistically has at least three known vulnerabilities — flaws that were discovered, assigned a CVE identifier, documented publicly, and in many cases accompanied by proof-of-concept exploit code. The only question is whether an attacker has scanned your network and found them before you did.

This is not hypothetical. In 2023, the Mirai-derived botnet "InfectedSlurs" exploited two zero-day vulnerabilities in widely deployed routers to build a DDoS network of over 40,000 devices, most of them in homes. In 2024, the "VPNFilter" successor "Cyclops Blink" was found in consumer routers from major brands, persisting across reboots and firmware updates. And in early 2025, CISA issued an advisory on a critical buffer overflow in a popular consumer router chipset that affected an estimated 12 million devices worldwide — many of which will never be patched because their manufacturers have discontinued support. Every one of these attacks targeted known CVEs in router firmware that had available patches at the time of exploitation. The routers that were compromised were simply running outdated firmware — exactly like yours probably is right now.

Paranoid includes a CVE vulnerability scanner and a dedicated router vulnerability assessment engine that can identify these flaws on your network in minutes — without sending a single byte of data to the cloud. This guide explains what CVEs are, how Paranoid's multi-layered vulnerability detection system works at a technical level, and how to use it to find and fix the security holes in your router before someone else exploits them.

That Firmware Update You've Been Ignoring

Every router is a small computer running a full operating system. It has a Linux kernel (or in some cases, a proprietary RTOS), a web server for the admin panel, an SSH or Telnet daemon for remote management, a DHCP server, a DNS forwarder, a firewall engine, and often UPnP and NAT-PMP services for automatic port forwarding. Each of these components is a distinct piece of software with its own version number, its own codebase, and its own history of security vulnerabilities. When your router manufacturer releases a firmware update, it typically bundles patches for multiple components — fixing a buffer overflow in the web server, updating the OpenSSL library to address a newly disclosed TLS vulnerability, patching a command injection flaw in the UPnP service, and so on.

The problem is the gap between disclosure and patching. When a security researcher discovers a vulnerability in router firmware, the responsible disclosure process gives the manufacturer a window (usually 90 days) to develop and release a patch before the details are published. Once that window closes, the CVE is published in the NVD with full technical details: the affected product versions, the attack vector, the complexity, the impact, and often a reference to proof-of-concept exploit code. From that moment, every attacker in the world knows about the vulnerability and can scan the internet for affected devices. Automated tools like Shodan and Censys index internet-facing devices and their banner strings, making it trivial to find routers running vulnerable firmware versions. The race between patching and exploitation is won by whichever side moves faster — and on home networks, the attacker almost always wins because the firmware update sits undismissed in the router's admin panel, waiting for a human who will never log in to apply it.

A network vulnerability assessment closes this gap by proactively identifying what is running on your network, correlating it against the public CVE database, and telling you exactly which vulnerabilities affect your specific devices. Instead of waiting for an attacker to find your unpatched router, you find the problems first — and fix them before they are exploited.

What Is a CVE (And Why Your Router Has Several)

A CVE — Common Vulnerabilities and Exposures — is a standardized identifier for a publicly disclosed security flaw in a specific product. Each CVE entry follows the format CVE-YYYY-NNNNN, where YYYY is the year of assignment and NNNNN is a sequential number. For example, CVE-2023-44487 identifies the HTTP/2 "Rapid Reset" vulnerability that affected virtually every web server and reverse proxy in existence. The CVE system is maintained by MITRE Corporation and funded by CISA (the U.S. Cybersecurity and Infrastructure Security Agency). It serves as the universal language for vulnerability identification — when a vendor publishes a security advisory, it references CVE IDs; when a penetration tester writes a report, it cites CVE IDs; when an intrusion detection system detects an exploit attempt, it logs the CVE ID.

Each CVE in the NVD is annotated with several pieces of information that are critical for understanding its severity and relevance:

Why routers accumulate CVEs

Routers are disproportionately affected by CVEs for several compounding reasons. First, they run multiple network-facing services simultaneously — a web server, an SSH daemon, UPnP, DNS, DHCP — each of which expands the attack surface. Second, many consumer routers use shared chipset SDKs from companies like Realtek, MediaTek, and Broadcom, meaning a single CVE in the SDK affects dozens of router brands simultaneously. Third, the embedded Linux distributions used in routers often ship with outdated library versions (OpenSSL, libcurl, busybox) that have their own CVE histories. Fourth, and most critically, the firmware update cadence for consumer routers is measured in months or years, not days — and many models reach end-of-life status and stop receiving updates entirely while millions of units remain in active use.

The result is that your router — regardless of brand — is running firmware that contains known, documented, publicly disclosed vulnerabilities. The only variable is how many and how severe they are. A CVE scanner for your home network answers both questions definitively.

Anatomy of a Router Vulnerability

To understand what Paranoid's vulnerability scanner detects, it helps to know what router vulnerabilities look like in practice. They fall into several categories, each with distinct characteristics and risk profiles.

Firmware CVEs

These are flaws in the router's own firmware code — buffer overflows, command injection, authentication bypasses, path traversal, and memory corruption bugs. A typical firmware CVE might allow an attacker on the local network (or, in the worst case, from the internet) to execute arbitrary code on the router with root privileges. The remediation is always a firmware update to a patched version. Example: a command injection in the web admin panel where a specially crafted HTTP request to /cgi-bin/setup.cgi passes user input directly to a system() call, allowing the attacker to execute shell commands as root.

Default credentials

Many routers ship with well-known default usernames and passwords: admin/admin, admin/password, admin/1234, or manufacturer-specific defaults like cusadmin/highspeed for certain ISP-provided models. These credentials are documented in public databases and are the first thing any automated scanner tries. Despite decades of security awareness campaigns, studies consistently show that 15–20% of consumer routers still use their factory default credentials. Paranoid's router vulnerability scanner specifically tests for these known default credential pairs.

Weak encryption

Routers that still use WEP encryption (crackable in minutes), WPA with TKIP (deprecated and vulnerable to known attacks), or TLS 1.0/1.1 on their admin panel (susceptible to BEAST, CRIME, and POODLE attacks) have configuration weaknesses that are not CVEs in the traditional sense but represent real, exploitable security holes. These are detected by Paranoid's WeaknessScorer, which generates configuration weakness findings with identifiers like CONFIG-SSLV3, CONFIG-TLS10, and CONFIG-WEAK-CIPHER.

UPnP exposure

Universal Plug and Play allows devices on your network to automatically open ports on the router without authentication. This is convenient for gaming consoles and VoIP phones, but it means that any compromised device on your network can silently open a port to the internet, creating a backdoor. Worse, UPnP implementations themselves have a long history of CVEs — buffer overflows in the XML parsing, authentication bypasses, and SSRF (Server-Side Request Forgery) vulnerabilities that allow attackers to manipulate the router from outside the network through carefully crafted UPnP requests. Paranoid's RouterVulnerabilityService actively probes for UPnP via SSDP discovery, enumerates all existing port mappings, and classifies each one by risk level.

DNS rebinding

This subtle attack allows a malicious website to bypass the browser's same-origin policy and access the router's admin panel through the user's browser. The attacker registers a domain that initially resolves to their own server (serving the malicious JavaScript) and then changes the DNS resolution to 192.168.1.1 (the router). The browser, believing it is still communicating with the original domain, sends requests to the router's admin panel — potentially changing settings, opening ports, or exfiltrating configuration data. Routers that do not implement DNS rebinding protection are vulnerable to this attack from any malicious or compromised website the user visits.

How Paranoid's CVE Scanner Works

Paranoid's vulnerability detection is not a single tool but a coordinated pipeline of five specialized services, each responsible for a distinct phase of the process. Understanding this pipeline explains both what the scanner can detect and why it is more thorough than a simple "version check" tool.

The pipeline follows this sequence:

  1. Port scanning discovers which network ports are open on the target device (TCP connect scan across 145+ well-known service ports).
  2. Banner grabbing (BannerGrabber) sends protocol-specific probes to each open port to identify the exact service and version running behind it.
  3. CPE generation (CPEGuesser) converts the service name and version into standardized CPE strings with multiple specificity variants.
  4. CVE lookup (CVELookupService) searches for known vulnerabilities matching the generated CPE strings, using a multi-level fallback strategy.
  5. Weakness scoring (WeaknessScorer) independently analyzes each open port and its banner for configuration weaknesses that may not have formal CVE identifiers.

The results from steps 4 and 5 are merged, deduplicated, and stored per host. Each vulnerability result includes: the CVE ID (or a CONFIG-* identifier for configuration weaknesses), the CVSS score and severity, the affected service, the matched CPE string, a human-readable description, the EPSS probability score, a reference URL to the NVD entry, and publication dates. This comprehensive data model — the VulnerabilityResult struct — enables the rich, filterable vulnerability views in the Paranoid interface.

Critically, the entire pipeline runs on your Mac with no external service dependencies. The port scan uses TCP connect calls via Apple's Network framework. The banner grabber uses direct socket connections with nmap-format probe data bundled in the app. The CPE guesser is a local computation. The CVE lookup queries a local SQLite database. And the weakness scorer is pure local analysis. The only optional network call is to the NVD API when the offline database does not have a match — and even that can be disabled entirely.

🛡
Scan your router for known CVEs in under 2 minutes

Paranoid's offline CVE database, EPSS scoring, and banner-grabbing engine find vulnerabilities without sending any data to the cloud. Native macOS app, no dependencies.

Download Free Trial

The accuracy of any CVE scanner depends entirely on how precisely it can identify the software running on each open port. A scanner that only knows "port 80 is open" cannot tell you anything about vulnerabilities. A scanner that knows "port 80 is running Apache HTTP Server 2.4.49 on Ubuntu" can tell you about every CVE affecting that exact version. This identification process is called banner grabbing, and Paranoid implements it at a level of sophistication comparable to professional penetration testing tools.

How banner grabbing works

When you connect to a network service, many services immediately send an identification string — a "banner." An SSH server sends SSH-2.0-OpenSSH_9.3p1. An FTP server sends 220 ProFTPD 1.3.7 Server ready. An SMTP server sends 220 mail.example.com ESMTP Postfix (Ubuntu). These banners directly reveal the software name and version.

But not all services volunteer this information. HTTP servers, for example, require a properly formatted request before they respond, and even then the version may be hidden or obfuscated. Database servers, custom applications, and proprietary protocols each have their own handshake sequences. This is where Paranoid's BannerGrabber goes beyond simple connection-and-read.

The BannerGrabber uses nmap-style service probes — a database of protocol-specific payloads that elicit version-identifying responses from services. The nmap service probe format is the gold standard for service fingerprinting, developed over two decades by the nmap project. Each probe consists of:

Paranoid's NmapProbeParser loads the full nmap probe database at startup and the ServiceProbeDatabase organizes probes by port for efficient lookup. When a port is found open, the BannerGrabber selects the relevant probes ordered by rarity (most common first), sends each probe, and matches the response against the regex rules. The first match extracts the product name, version, and often additional metadata like the operating system and CPE string. This process is repeated across all open ports, building a complete service inventory of the target device.

From banner to CPE

Once the BannerGrabber identifies a service (e.g., "OpenSSH 8.2p1"), the CPEGuesser takes over. Its job is to convert this human-readable identification into the standardized CPE format that the NVD uses to track affected products. This translation is not trivial — "OpenSSH" maps to vendor "openbsd" and product "openssh" in CPE notation; "Apache" maps to vendor "apache" and product "http_server"; "MySQL" maps to vendor "oracle" and product "mysql" (because Oracle acquired MySQL).

The CPEGuesser maintains an internal mapping of 160+ service names to their correct CPE vendor:product pairs. For each identified service, it generates multiple CPE variants at decreasing levels of specificity:

Input: OpenSSH 8.2p1

cpe:2.3:a:openbsd:openssh:8.2p1:*:*:*:*:*:*:*    (exact version)
cpe:2.3:a:openbsd:openssh:8.2:*:*:*:*:*:*:*       (major.minor)
cpe:2.3:a:openbsd:openssh:8:*:*:*:*:*:*:*          (major only)
cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*          (any version)

This multi-variant approach is essential because CVEs in the NVD are not always tagged with the exact micro-version — some are tagged to a major.minor version range, others to a specific patch level. By generating variants from most specific to least specific and stopping at the first match, the scanner maximizes both precision and recall.

The Offline CVE Database: No Cloud Required

One of the most significant architectural decisions in Paranoid's vulnerability scanner is the offline-first approach. Unlike cloud-based vulnerability scanners that upload your scan results to a remote server for analysis, Paranoid ships with a complete, local SQLite database of known CVEs that runs entirely on your Mac.

Why offline matters

Privacy is the most obvious reason. When you scan your network for vulnerabilities, you are generating a detailed inventory of every service, version, and weakness on every device. This is exactly the kind of intelligence an attacker would pay for. Uploading it to a third-party cloud service — even one that promises encryption and privacy — creates a target that, if breached, exposes your entire network's vulnerability profile. With Paranoid, that data never leaves your machine.

But privacy is not the only reason. Offline scanning also provides speed (local SQLite queries complete in milliseconds, not seconds), reliability (no dependency on API availability or internet connectivity), and determinism (the same scan produces the same results regardless of network conditions). You can scan an air-gapped lab network, a client's network where you cannot install agents, or your own network during an internet outage — and the vulnerability scanner works identically every time.

How the offline database works

The database is a SQLite file stored at ~/Library/Application Support/ParanoidIPScanner/cve_database.sqlite. It contains two primary tables: cves (storing CVE ID, CVSS score, severity, description, publication date, and last modified date) and cve_cpes (storing the many-to-many relationship between CVEs and affected CPE strings, with a vulnerability flag). Indexes on the CPE column and severity column ensure fast lookups even as the database grows to hundreds of thousands of entries.

On first launch, Paranoid decompresses a pre-seeded database from the app bundle using Apple's LZFSE compression algorithm. This seed database contains CVEs covering the most common networking equipment, web servers, SSH implementations, and embedded device firmware — giving you immediate offline scanning capability from the moment you install the app.

Keeping it current

The CVE database can be updated incrementally directly from the NVD API 2.0 (services.nvd.nist.gov). Paranoid tracks the last synchronization timestamp and downloads only CVEs that have been published or modified since then. A full initial download covers four years of CVE data in 120-day windows; subsequent updates are typically a single paginated request covering days or weeks of new entries. If a download window fails (due to NVD rate limiting or transient errors), the downloader automatically retries with smaller 30-day sub-windows.

For users who want faster downloads, Paranoid supports an optional NVD API key (free from nvd.nist.gov) that increases the rate limit from one request per 6.5 seconds to one per 0.8 seconds — approximately 8x faster. The API key is stored in UserDefaults and sent as an HTTP header; it is never transmitted to Paranoid's servers.

The multi-level lookup strategy

When the scanner needs to find CVEs for a given CPE string, it follows a four-level fallback strategy that maximizes both speed and coverage:

Level Source Speed When Used
1 In-memory cache Instant CPE was queried within last 7 days
2 NVD API 2.0 (online) 1–10s Cache miss, internet available, online mode enabled
3 Offline DB — exact CPE match <1ms Online lookup failed or disabled
4 Offline DB — prefix match (vendor:product) <5ms Exact CPE not found in offline DB

The prefix match at level 4 is particularly important. If the offline database does not contain the exact CPE cpe:2.3:a:openbsd:openssh:8.2p1:*, it will match against cpe:2.3:a:openbsd:openssh:% — returning all CVEs affecting any version of OpenSSH. This is less precise but ensures that even when the exact version is not in the database, the scanner still surfaces relevant vulnerabilities that the user should investigate. The results clearly indicate whether the match was exact or prefix-based, so you can assess confidence accordingly.

EPSS: Predicting Which Vulnerabilities Will Be Exploited

Finding a CVE on your router is important. Knowing whether that CVE is actively being exploited in the wild is transformational. This is the distinction between CVSS and EPSS — and understanding it changes how you prioritize remediation.

The problem with CVSS alone

CVSS scores tell you the theoretical maximum impact of a vulnerability. A score of 9.8 means that if the vulnerability were successfully exploited, the consequences would be severe: full system compromise, data exfiltration, or denial of service. But CVSS says nothing about whether the vulnerability will be exploited. Of the 230,000+ CVEs in the NVD, fewer than 5% have ever been exploited in the wild. Many critical-severity CVEs require highly specific conditions, unusual configurations, or chain multiple vulnerabilities together in ways that are impractical for mass exploitation. If you prioritize purely by CVSS, you spend equal effort on a theoretical risk and an active threat.

What EPSS tells you

The Exploit Prediction Scoring System (EPSS), developed by FIRST.org, uses machine learning trained on real-world exploitation data to predict the probability that a CVE will be exploited within the next 30 days. The model considers factors including: whether exploit code is publicly available, whether the CVE is referenced in threat intelligence feeds, the age of the vulnerability, the CVSS score, the affected product's market share, and patterns in attacker behavior. The output is a probability from 0% to 100%.

EPSS transforms vulnerability management from "fix everything critical" (impossible for most organizations) to "fix what attackers are actually targeting" (actionable and efficient). Consider two hypothetical findings on your router:

CVE CVSS Severity EPSS Interpretation
CVE-2024-21762 9.8 Critical 87.3% Actively exploited, patch immediately
CVE-2024-33201 9.1 Critical 0.04% Severe but not exploited, schedule patch

Both are "Critical" by CVSS. But the first has an 87.3% probability of exploitation in the next 30 days — it is being actively targeted by attackers right now. The second has a 0.04% probability — it is theoretically severe but practically dormant. Without EPSS, you would treat both identically. With EPSS, you know exactly which one demands your immediate attention.

How Paranoid uses EPSS

Paranoid's WeaknessScorer combines CVSS base scores with EPSS probability data and local context factors to produce a composite risk assessment. The local context factors include: whether the vulnerable port is exposed through the router's port forwarding (higher risk than LAN-only exposure), whether the service is a critical infrastructure component (DNS, DHCP, routing), and whether the default configuration is vulnerable without any user action. This three-dimensional scoring — theoretical severity (CVSS) + exploitation likelihood (EPSS) + local exposure (context) — gives you a prioritized, actionable list of findings rather than a wall of CVE numbers sorted by an arbitrary score.

In the Paranoid interface, each vulnerability result displays both scores prominently: the CVSS badge is color-coded (red for Critical, orange for High, yellow for Medium, blue for Low) and the EPSS percentage is shown alongside it. Sorting by EPSS lets you immediately see which vulnerabilities on your network are most likely to be exploited — and address them first.

Router-Specific Vulnerability Checks

Beyond the general CVE scanning pipeline that works across all devices, Paranoid includes a dedicated RouterVulnerabilityService that performs checks specifically designed for routers and gateways. This service understands the unique threat model of the device that controls all traffic between your home network and the internet.

Default credential testing

The scanner tests the router's admin interface (typically on port 80 or 443) against a database of known default credentials. These are not random guesses — they are the factory-default usernames and passwords documented in the router's own manual and in public databases like routerpasswords.com. Common pairs include admin/admin, admin/password, admin/1234, root/root, and manufacturer-specific defaults. If any pair succeeds, this is flagged as a critical finding because it means anyone on your network (or anyone on the internet, if remote management is enabled) can take full control of your router.

UPnP exposure assessment

The RouterVulnerabilityService performs a three-phase UPnP assessment. First, it sends SSDP M-SEARCH multicast packets targeting Internet Gateway Device (IGD) profiles to discover whether UPnP is active. Second, if an IGD is found, it fetches the device description XML and extracts the SOAP control URL. Third, it sends iterative GetGenericPortMappingEntry SOAP requests to enumerate every port forwarding rule that UPnP has created. Each discovered mapping is classified by risk:

Risk Level Ports Example Services
Critical 22, 23, 445, 3389, 3306, 5432 SSH, Telnet, SMB, RDP, MySQL, PostgreSQL
High 21, 25, 53, 110, 143, 1433 FTP, SMTP, DNS, POP3, IMAP, MSSQL
Medium 80, 443, 8080, 8443 HTTP, HTTPS, Web proxies
Low All other ports Gaming, media streaming, etc.

If your router has UPnP-created port forwarding rules exposing SSH (port 22) or RDP (port 3389) to the internet, that is a critical finding — these are the protocols most aggressively brute-forced by automated botnets.

NAT-PMP detection

NAT-PMP (NAT Port Mapping Protocol) is an alternative to UPnP that some routers support. The scanner sends a UDP packet to port 5351 on the gateway with opcode 0 (external address request). If the router responds, NAT-PMP is active, meaning devices on your network can programmatically open ports without authentication. While less commonly exploited than UPnP, NAT-PMP support represents an unnecessary attack surface that should be disabled if not needed.

Encryption and protocol assessment

The WeaknessScorer analyzes the router's running services for deprecated or weak protocols and ciphers. For the web admin panel (typically port 443 or 8443), it checks for SSLv3, TLS 1.0, TLS 1.1, and weak cipher suites (DES, RC4, MD5-based MACs, NULL ciphers, EXPORT-grade ciphers). For SSH (if enabled on the router), it checks for SSHv1 and outdated OpenSSH versions below 7.0. For any FTP service, it checks for anonymous access and unencrypted transmission. Each weakness generates a CONFIG-* finding with an appropriate CVSS score — for example, SSLv3 (the POODLE vulnerability) scores 9.8 Critical, while HTTP without TLS scores 5.3 Medium.

Security score

The router vulnerability report includes a composite security score from 0 to 100, calculated by starting at 100 and deducting points for each finding: −20 for UPnP being active, −10 for NAT-PMP, −15 for each critical-risk port mapping, −10 for each high-risk mapping, and −5 for each medium-risk mapping. This single number gives you an immediate, intuitive assessment of your router's security posture — and a clear target to improve toward.

Reading Your Vulnerability Report

After scanning, Paranoid presents vulnerability results in two complementary views: the per-host vulnerability section in the Host Detail overlay, and the full vulnerability list in a dedicated modal sheet. Understanding how to read these views helps you take effective action on the findings.

Per-host vulnerability section

When you select a host in Paranoid's main view and open the detail overlay, the vulnerability section appears after the port list. If a CVE scan has been performed (either automatically during a network scan with the CVE toggle enabled, or on-demand via the CVE button in the action bar), this section shows a severity summary — colored badges indicating how many Critical, High, Medium, and Low findings were detected — followed by the top 10 most severe results.

Each result card displays:

Expanding a card reveals additional details: the matched CPE string, publication date, last modification date, and a direct link to the NVD entry for the CVE. For configuration weaknesses, the expanded view shows the specific condition detected and the recommended remediation.

Full vulnerability list

Clicking "Show All" opens the VulnerabilityDetailView — a modal sheet (minimum 700x600 points) showing all vulnerabilities for the selected host. This view adds text search (filter by CVE ID, description, or service name) and severity filtering (All, Critical, High, Medium, Low chips). Results are sorted by severity descending, so the most critical findings are always at the top. This is the view you use for thorough analysis and documentation — when you need to produce a complete inventory of findings for a specific device.

Router vulnerability report

The dedicated RouterVulnerabilityView (accessible from the Router Vulnerability section in the sidebar) provides a specialized view for the gateway device. It features an animated circular security score (0–100), a gateway information card (IP, hostname, detected protocols), a list of all UPnP port mappings with per-mapping risk indicators, and prioritized recommendations based on the specific findings. This is your single-pane-of-glass view for router security posture.

Fixing What the Scanner Finds

Detection without remediation is monitoring, not security. Here is a practical remediation guide for the most common findings, organized by severity and effort required.

Critical: Default credentials

Effort: 2 minutes. Impact: Eliminates the single most exploited router vulnerability. Log into your router's admin panel (typically 192.168.1.1 or 192.168.0.1 in a browser). Navigate to Administration or System settings. Change both the username (if your router allows it) and the password. Use a strong, unique password stored in your password manager. This one change blocks the majority of automated router attacks.

Critical: Firmware CVEs

Effort: 5–15 minutes. Impact: Patches known, exploitable vulnerabilities. In your router's admin panel, navigate to Firmware Update or System Update. Check for available updates. If an update is available, download and install it. The router will reboot during the process. After the update, re-run the Paranoid vulnerability scan to verify the CVEs are resolved. If no update is available and the router is end-of-life, the only complete remediation is replacing the router with a currently supported model.

High: UPnP port mappings exposing sensitive services

Effort: 5 minutes. Impact: Closes external attack surface. In your router's admin panel, navigate to UPnP settings. The best approach is to disable UPnP entirely — it is an inherently insecure protocol that allows unauthenticated port forwarding. If you need specific ports open for gaming or other applications, create manual port forwarding rules instead. Manual rules are explicit, auditable, and do not allow arbitrary port opening by compromised devices.

High: Weak encryption (WEP, WPA-TKIP)

Effort: 5 minutes. Impact: Prevents WiFi password cracking. In your router's wireless settings, change the security mode to WPA2-AES (or WPA3 if your router and all your devices support it). WEP can be cracked in minutes with freely available tools. WPA with TKIP has known vulnerabilities that allow partial key recovery. Only WPA2-AES and WPA3-SAE are considered secure in 2026.

Medium: Configuration weaknesses (SSL/TLS, HTTP without encryption)

Effort: 5–10 minutes. Impact: Prevents credential interception on admin panel. If your router's admin panel is accessible over plain HTTP, check the settings for an option to enable HTTPS. If HTTPS is enabled but using TLS 1.0 or 1.1, check for a firmware update that adds TLS 1.2/1.3 support. If the router does not support modern TLS, access the admin panel only from a trusted, wired connection — never over WiFi.

Low: NAT-PMP active

Effort: 2 minutes. Impact: Removes unnecessary attack surface. In your router's settings, look for NAT-PMP or PCP (Port Control Protocol) and disable it. Most home networks do not need NAT-PMP — it is primarily used by Apple's Back to My Mac feature (now discontinued) and some VoIP applications that can fall back to manual configuration.

Building a remediation schedule

Not every finding needs to be fixed today. Use the EPSS score to prioritize: vulnerabilities with EPSS above 10% are being actively exploited and should be addressed within 24–48 hours. Vulnerabilities with EPSS between 1% and 10% should be addressed within a week. Everything else can be scheduled for the next maintenance window. After remediation, re-scan to verify the fix was effective — firmware updates sometimes fail silently, and configuration changes do not always take effect without a reboot.

Frequently Asked Questions

What is a CVE and why should I care about my router having them?

A CVE is a publicly disclosed security flaw with a unique identifier. Each one describes a specific weakness in a specific product version that attackers can exploit. Routers are particularly concerning because they sit between your entire home network and the internet. A single unpatched CVE in your router's firmware can give an attacker complete control of your network traffic, the ability to redirect DNS queries to malicious servers, or a persistent backdoor that survives factory resets. Most consumer routers run multiple network-facing services — web servers, SSH, UPnP, DNS — each with their own CVE histories. Unlike your Mac or iPhone, which update automatically, router firmware must typically be updated manually, and most people never do.

Does the CVE scanner send my network data to the cloud?

No. Paranoid ships with an offline SQLite CVE database that is pre-seeded and stored locally on your Mac at ~/Library/Application Support/ParanoidIPScanner/cve_database.sqlite. All vulnerability lookups are performed against this local database first. The scanner only contacts the NVD API if the offline database does not have a match and you have not disabled online lookups. Even when online lookups occur, the only data sent is the CPE string — a standardized product identifier like cpe:2.3:a:apache:http_server:2.4.49 — not your IP address, network topology, or any other identifying information. You can disable online lookups entirely in the settings and rely exclusively on the offline database.

How does EPSS scoring differ from CVSS scoring?

CVSS rates theoretical severity; EPSS predicts real-world exploitation probability. CVSS scores a vulnerability from 0 to 10 based on how bad it could be if exploited. EPSS predicts the probability (0–100%) that it will be exploited in the next 30 days based on real-world threat intelligence. A CVE might have a CVSS of 9.8 (Critical) but an EPSS of 0.1% because no exploit exists. Conversely, a CVSS 6.5 (Medium) might have an EPSS of 85% because it is being mass-exploited. Paranoid shows both scores so you can prioritize effectively: high-CVSS plus high-EPSS means patch immediately; high-CVSS plus low-EPSS means schedule the patch.

What does the router vulnerability scanner check besides CVEs?

Five additional categories. First, default credentials — known factory username/password pairs like admin/admin. Second, encryption strength — WEP, WPA-TKIP, SSLv3, TLS 1.0/1.1 on the admin panel. Third, UPnP exposure — SSDP discovery to find the Internet Gateway Device, then SOAP enumeration of all port mappings. Fourth, NAT-PMP support — probing UDP 5351 for the port mapping protocol. Fifth, configuration weaknesses in running services — FTP without encryption, Telnet enabled, HTTP admin panels without TLS, SSH version 1, and weak cipher suites.

How often should I scan my router for vulnerabilities?

After every firmware update and at least monthly. Scan after firmware updates to verify the patches were actually applied. Scan after configuration changes to ensure you did not inadvertently expose a new service. Monthly scans catch newly disclosed CVEs that affect your current firmware version. Paranoid's offline CVE database can be updated incrementally (downloading only new CVEs since the last update), so keeping the database current is fast and efficient. If you use Paranoid's network monitor feature, vulnerability checks can be scheduled automatically.

Can Paranoid fix the vulnerabilities it finds on my router?

No — and no legitimate security tool can. Paranoid identifies vulnerabilities and provides specific remediation advice for each finding, but the actual fixes must be applied on the router itself. For firmware CVEs, the fix is a firmware update. For configuration weaknesses like UPnP or default credentials, the fix involves changing router settings. For end-of-life routers that no longer receive updates, the only remediation is replacement — and Paranoid clearly flags this situation. The value of the scanner is in finding the problems and prioritizing them so you know exactly what to fix and in what order.

Your router is the single most important security device on your network. It controls every packet that enters and leaves your home. It resolves every DNS query. It assigns every IP address. It decides what traffic to allow and what to block. And right now, it is almost certainly running firmware with known, documented, publicly disclosed vulnerabilities that have available patches you have not applied. That firmware update notification you dismissed is not a nuisance — it is the difference between a secure network and a compromised one.

The good news is that finding these vulnerabilities takes less time than reading this article. Paranoid's CVE scanner identifies them in minutes using an offline database that never sends your data to the cloud, banner grabbing that fingerprints every service with nmap-grade precision, CPE matching that correlates those fingerprints with the NVD's quarter-million CVEs, and EPSS scoring that tells you which vulnerabilities attackers are actually exploiting right now. The router-specific checks go further — testing default credentials, enumerating UPnP port mappings, detecting NAT-PMP, and flagging weak encryption. The result is a complete, prioritized security assessment of the most critical device on your network.

You do not need to be a penetration tester or a network engineer to use it. You do not need a Linux server, a cloud subscription, or a Terminal window. You need a Mac running macOS 14 or later and about two minutes of your time. Run the scan. Read the results. Fix the critical findings. Update your firmware. Change the default password. Disable UPnP. These are simple, concrete actions that dramatically reduce your attack surface — and Paranoid tells you exactly which ones to take and in what order.

The attackers already know about your router's vulnerabilities. The only question is whether you do too.

Find your router's vulnerabilities before attackers do

Download Paranoid and run a CVE scan on your network in under 2 minutes. Offline database, EPSS scoring, banner grabbing, default credential testing, and UPnP assessment — all from a native macOS app.

Download Paranoid — Free Trial See All Features

Related Articles

SECURITY

How to Set a Trap for Hackers on Your Home Network

February 2026 · 16 min read
TUTORIAL

Port Scanner on macOS: Built-in vs Pro Tools

February 2026 · 14 min read
SECURITY

How to Detect Hidden Cameras on Your WiFi Network

February 2026 · 12 min read