CVE-2025-55971

TCL 65C655 Smart TV, running firmware version V8-R75PT01-LF1V269.001116 (Android TV, Kernel 5.4.242+), is vulnerable to a blind, unauthenticated Server-Side Request Forgery (SSRF) vulnerability via the UPnP MediaRenderer service (AVTransport:1). The device accepts unauthenticated SetAVTransportURI SOAP requests over TCP/16398 and attempts to retrieve externally referenced URIs, including attacker-controlled payloads. The blind SSRF allows for sending requests on behalf of the TV, which can be leveraged to probe for other internal or external services accessible by the device (e.g., 127.0.0.1:16XXX, LAN services, or internet targets), potentially enabling additional exploit chains.

CVSS v3 4.7 MEDIUM

4.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/Szym0n13k/CVE-2025-55971-Blind-Unauthenticated-SSRF-in-TCL-Smart-TV-UPnP-DLNA-AVTransport	Third Party Advisory
https://www.youtube.com/watch?v=FeNLGR_xFIA	Exploit

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:tcl:65c655_firmware:v8-r75pt01-lf1v269.001116:*:*:*:*:*:*:*

cpe:2.3:h:tcl:65c655:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-10-03 16:16

Updated : 2025-10-15 18:17

NVD link : CVE-2025-55971

Mitre link : CVE-2025-55971

CVE.ORG link : CVE-2025-55971

JSON object : View

Products Affected

tcl

65c655_firmware
65c655

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2025-55971", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2025-10-03T16:16:17.540", "references": [{"url": "https://github.com/Szym0n13k/CVE-2025-55971-Blind-Unauthenticated-SSRF-in-TCL-Smart-TV-UPnP-DLNA-AVTransport", "tags": ["Third Party Advisory"], "source": "[email protected]"}, {"url": "https://www.youtube.com/watch?v=FeNLGR_xFIA", "tags": ["Exploit"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "TCL 65C655 Smart TV, running firmware version V8-R75PT01-LF1V269.001116 (Android TV, Kernel 5.4.242+), is vulnerable to a blind, unauthenticated Server-Side Request Forgery (SSRF) vulnerability via the UPnP MediaRenderer service (AVTransport:1). The device accepts unauthenticated SetAVTransportURI SOAP requests over TCP/16398 and attempts to retrieve externally referenced URIs, including attacker-controlled payloads. The blind SSRF allows for sending requests on behalf of the TV, which can be leveraged to probe for other internal or external services accessible by the device (e.g., 127.0.0.1:16XXX, LAN services, or internet targets), potentially enabling additional exploit chains."}], "lastModified": "2025-10-15T18:17:00.927", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:tcl:65c655_firmware:v8-r75pt01-lf1v269.001116:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1004749F-C65B-4868-85DB-6E135DFE71EC"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:tcl:65c655:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "71800B88-6570-4AA3-8968-A897A498739E"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "[email protected]"}