Yeah, I'm pretty sure about Skype since I see Port Forwarding rules appear on the router for all devices it is installed on (tablets, laptops, desktops).
If it did not do that when I installed Skype, I'm pretty sure that I would have to manually configure the port forwarding in order for it to work (maybe there is another way that I do not know). It only needs to do it once. During setup or I guess during first use on a new network as I do see rules for devices that people visiting me have used on my home network. After the port forwarding is set it doesn't need uPnP anymore to use the software. After that the hole is there so Skype can run without using uPnP after that.
Here is one of the Port Forwarding rules it added when Skype was installed on a laptop on my home network...
Another sort of scary thing that I found while trying to figure out what this uPnP alert means is that on many routers people are saying that selecting to turn off uPnP does not really turn it off as much as you think it would. I don't know if there is any truth to that but it seemed to be an issue that kept coming up in threads that I found.
My understanding is that SSDP in my examples is used upon installation of a new decive or software to see if there are any gateways between it and the internet. If it discovers any then uPnP is used to set the neccesary port forwarding rules.
The problem here looks like they used SSDP in a backwards manner and were able to find routers that respond to it from the outside and then using vulnerabilities in uPnP (it is not very hard to trick) act like a device inside the network. Or even worse, it does not need to use vulnerabilities and just uses uPnP to get the list of commands and is able to execute them as if it were a device on the inside of the network.
I can think of a lot of naughty ways to ruin a person's day if I had that kind of access to their network from the internet