CVE-2025-55971 in 65C655 Smart TV
Summary
by MITRE • 10/03/2025
TCL 65C655 Smart TV, running firmware version V8-R75PT01-LF1V269.001116 (Android TV, Kernel 5.4.242+), is vulnerable to a blind, unauthenticated Server-Side Request Forgery (SSRF) vulnerability via the UPnP MediaRenderer service (AVTransport:1). The device accepts unauthenticated SetAVTransportURI SOAP requests over TCP/16398 and attempts to retrieve externally referenced URIs, including attacker-controlled payloads. The blind SSRF allows for sending requests on behalf of the TV, which can be leveraged to probe for other internal or external services accessible by the device (e.g., 127.0.0.1:16XXX, LAN services, or internet targets), potentially enabling additional exploit chains.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/04/2025
The vulnerability identified as CVE-2025-55971 affects TCL 65C655 Smart TV devices running firmware version V8-R75PT01-LF1V269.001116 which operates on Android TV with kernel version 5.4.242+. This device exposes a UPnP MediaRenderer service through the AVTransport:1 service that operates on TCP port 16398. The flaw manifests as a blind Server-Side Request Forgery vulnerability that does not require authentication credentials to exploit, making it particularly concerning for network-connected IoT devices. The vulnerability stems from the device's handling of SetAVTransportURI SOAP requests which are processed without proper validation of external URI references. This allows attackers to craft malicious requests that instruct the TV to fetch content from arbitrary locations, effectively using the device as a proxy for network reconnaissance and data exfiltration activities.
The technical implementation of this vulnerability involves the UPnP service accepting unauthenticated SOAP requests that contain URI parameters which are then processed by the underlying media transport mechanism. When the device receives a SetAVTransportURI request with an attacker-controlled URI, it attempts to retrieve the specified resource without proper sanitization or access control measures. This behavior creates a blind SSRF condition where the attacker cannot directly observe responses from the target systems but can still leverage the device's network connectivity to probe internal services, bypass network segmentation, and potentially access sensitive information. The vulnerability operates at the application layer and can be exploited remotely over the network without requiring physical access or prior authentication. The affected device's exposure of the UPnP service on TCP/16398 port creates an attack surface that allows for network-level reconnaissance and exploitation attempts.
The operational impact of this vulnerability extends beyond simple network probing to potentially enable more sophisticated attack vectors. Attackers can use the blind SSRF to enumerate internal services running on the device's local network, including but not limited to web servers, database systems, or other IoT devices that may be accessible through the TV's network interface. The vulnerability can be leveraged to perform service discovery against localhost addresses and other internal network segments, potentially revealing additional attack surfaces within the network environment. This capability creates opportunities for attackers to map internal network topologies, identify vulnerable services, and potentially establish persistent access points within the network. The implications are particularly severe in enterprise or home networks where the Smart TV may be connected to sensitive internal systems or serve as a gateway to other network segments.
Security mitigations for this vulnerability should focus on implementing proper input validation and access control measures within the UPnP service implementation. Network segmentation and firewall rules should be applied to restrict access to TCP port 16398 from untrusted networks, while also implementing proper URI validation to prevent the processing of external references that could lead to SSRF conditions. The device firmware should be updated to remove or disable the vulnerable UPnP service functionality, or at minimum, implement proper authentication requirements for SOAP requests. Organizations should also consider implementing network monitoring to detect unusual outbound connections from the device, as these may indicate exploitation attempts. This vulnerability aligns with CWE-918 which describes Server-Side Request Forgery vulnerabilities, and maps to ATT&CK technique T1071.004 for application layer protocol usage. The lack of authentication requirements and insufficient input validation creates a persistent security risk that requires immediate remediation through firmware updates or network-level controls to prevent exploitation.