Since we do not have an official patch from MikroTik at the moment, and I personally do not have sufficient knowledge to be able to come up with a temporary work-around short of disabling UPnP completely (which I don’t want to do as I have tons of games/apps that needs port forwarding to achieve “Open NAT” status for smooth operation), perhaps some of you more experienced and more knowledgeable folks here have some ideas for some firewall rules to temporarily mitigate this vulnerability.
It seems that there’s some mechanism in UPnP, where client can subscribe to some events and specify callback url that will be called by server. And this url can be anything. It doesn’t seem to be necessarily related to port forwarding, which is why you’d use UPnP on router. So the trouble is not just with UPnP on router, but possibly with any UPnP device in network, because if evil client can talk to it, it can make it connect to any url and possibly bypass some filtering. E.g. if you have untrusted client device and you don’t let it access internet, but it can connect to some UPnP device, which does have internet access, this bad client can use that UPnP device to send some data out.
So this problem in RouterOS is most likely no big deal. You don’t need to worry about access from outside, because RouterOS seems to accept UPnP connections only from interfaces marked as internal. Plus your firewall should block connections from internet anyway. And if you have some untrusted device in LAN that should not be allowed to talk to UPnP on router, you can also use firewall to block it. And MikroTik will surely fix it properly (they should limit what urls can be used for callback), if they didn’t already (I don’t have latest RouterOS in a place where I can easily test it).
You should be more worried about other UPnP devices. For example, I tried the test and it says that TV has UPnP and is vulnerable. And since it’s a little older, it’s unlikely that manufacturer will update anything.