CVE-2025-55971 PoC — TCL 65C655 Smart TV 安全漏洞

Source

Associated Vulnerability

Description

TCL 65C655 Smart TV, running firmware version V8-R75PT01-LF1V269.001116 (Android TV, Kernel 5.4.242+), is vulnerable to a blind, unauthenticated Server-Side Request Forgery (SSRF) via the UPnP MediaRenderer service (AVTransport).

Readme

# CVE-2025-55971-Blind-Unauthenticated-SSRF-in-TCL-Smart-TV-UPnP-DLNA-AVTransport
TCL 65C655 Smart TV, running firmware version V8-R75PT01-LF1V269.001116 (Android TV, Kernel 5.4.242+), is vulnerable to a blind, unauthenticated Server-Side Request Forgery (SSRF) via the UPnP MediaRenderer service (AVTransport).

### Vendor: 
TCL Technology Group Corporation

### Product: 
TCL Smart TV (tested: 65C655)

### Vulnerability type: 
Unauthenticated blind Server-Side Request Forgery (SSRF) in UPnP/DLNA MediaRenderer (AVTransport)

### Impact: 
Device may issue outbound HTTP requests to attacker-controlled destinations on the local network or the Internet (blind SSRF).

### CVSS v3.1 (Base): 
4.6 (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L)

### Discovery date: 
2025-06-28

### CVE: 
CVE-2025-55971

## Description: 
TCL 65C655 Smart TV, running firmware version V8-R75PT01-LF1V269.001116 (Android TV, Kernel 5.4.242+), is vulnerable to a blind, unauthenticated Server-Side Request Forgery (SSRF) via the UPnP MediaRenderer service (AVTransport:1). The device accepts unauthenticated SetAVTransportURI SOAP requests over TCP/16XXX and attempts to retrieve externally referenced URIs, including attacker-controlled payloads. The blind SSRF allows an attacker to force the TV to send requests on its behalf to internal (e.g., 127.0.0.1:16XXX, LAN services) or internet targets, which may be leveraged in further exploit chains. Supported URIs include .jpg, .png, .mp3, .mp4, .gif, and other standard media formats. Affected port changes across restarts but remains within the 16XXX range.

File Snapshot

 [4.0K]  /data/pocs/a9a2b05aad28b567a028e89803e932862c5ad6d2
└── [1.5K]  README.md

1 directory, 1 file

Remarks