"The vulnerable IPs are seem to be mostly unprotected home routers."

I interpreted this as routers that themselves have uPnP implementations, probably intended to advertise themselves to clients on the local network, but that listen on all network interfaces by mistake.