In January 2013, Rapid7 published a great paper describing several vulnerabilities in the most common UPnP libraries.
Six months later, many devices based on these libraries have not been updated and are still exposed.
For example, the Axis M1011 camera contains a vulnerable version of libupnp, which can lead to arbitrary remote code execution without authentication.
You can find the corresponding metasploit module on my Github.
To check whether your devices are vulnerable to known UPnP attacks, you can use ScanNow tool by Rapid7.