Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-55971 PoC — TCL 65C655 Smart TV 安全漏洞

Source
https://github.com/Szym0n13k/CVE-2025-55971-Blind-Unauthenticated-SSRF-in-TCL-Smart-TV-UPnP-DLNA-AVTransport
Associated Vulnerability
Title:TCL 65C655 Smart TV 安全漏洞 (CVE-2025-55971)
Description:TCL 65C655 Smart TV, running firmware version V8-R75PT01-LF1V269.001116 (Android TV, Kernel 5.4.242+), is vulnerable to a blind, unauthenticated Server-Side Request Forgery (SSRF) vulnerability via the UPnP MediaRenderer service (AVTransport:1). The device accepts unauthenticated SetAVTransportURI SOAP requests over TCP/16398 and attempts to retrieve externally referenced URIs, including attacker-controlled payloads. The blind SSRF allows for sending requests on behalf of the TV, which can be leveraged to probe for other internal or external services accessible by the device (e.g., 127.0.0.1:16XXX, LAN services, or internet targets), potentially enabling additional exploit chains.
Description
TCL 65C655 Smart TV, running firmware version V8-R75PT01-LF1V269.001116 (Android TV, Kernel 5.4.242+), is vulnerable to a blind, unauthenticated Server-Side Request Forgery (SSRF) via the UPnP MediaRenderer service (AVTransport).
Readme
# CVE-2025-55971-Blind-Unauthenticated-SSRF-in-TCL-Smart-TV-UPnP-DLNA-AVTransport
TCL 65C655 Smart TV, running firmware version V8-R75PT01-LF1V269.001116 (Android TV, Kernel 5.4.242+), is vulnerable to a blind, unauthenticated Server-Side Request Forgery (SSRF) via the UPnP MediaRenderer service (AVTransport).

### Vendor: 
TCL Technology Group Corporation

### Product: 
TCL Smart TV (tested: 65C655)

### Vulnerability type: 
Unauthenticated blind Server-Side Request Forgery (SSRF) in UPnP/DLNA MediaRenderer (AVTransport)

### Impact: 
Device may issue outbound HTTP requests to attacker-controlled destinations on the local network or the Internet (blind SSRF).

### CVSS v3.1 (Base): 
4.6 (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L)

### Discovery date: 
2025-06-28

### CVE: 
CVE-2025-55971

## Description: 
TCL 65C655 Smart TV, running firmware version V8-R75PT01-LF1V269.001116 (Android TV, Kernel 5.4.242+), is vulnerable to a blind, unauthenticated Server-Side Request Forgery (SSRF) via the UPnP MediaRenderer service (AVTransport:1). The device accepts unauthenticated SetAVTransportURI SOAP requests over TCP/16XXX and attempts to retrieve externally referenced URIs, including attacker-controlled payloads. The blind SSRF allows an attacker to force the TV to send requests on its behalf to internal (e.g., 127.0.0.1:16XXX, LAN services) or internet targets, which may be leveraged in further exploit chains. Supported URIs include .jpg, .png, .mp3, .mp4, .gif, and other standard media formats. Affected port changes across restarts but remains within the 16XXX range.
File Snapshot

 [4.0K]  /data/pocs/a9a2b05aad28b567a028e89803e932862c5ad6d2
└── [1.5K]  README.md

1 directory, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →