Login Sign Up

CVE-2023-6317

7.2 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass the security PIN prompt in the secondscreen.gateway service on affected LG webOS smart TVs. Attackers can create privileged accounts without user interaction, potentially gaining unauthorized access to TV functions and connected services. This affects specific LG smart TV models running webOS versions 4 through 7.

💻 Affected Systems

Products:
  • LG webOS smart TVs
Versions: webOS 4 through 7 (specific affected versions listed in CVE)
Operating Systems: webOS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects specific TV models including LG43UM7000PLA, OLED55CXPUA, OLED48C1PUB, OLED55A23LA with vulnerable webOS versions.

📦 What is this software?

Webos by Lg

View all CVEs affecting Webos →

Webos by Lg

View all CVEs affecting Webos →

Webos by Lg

View all CVEs affecting Webos →

Webos by Lg

View all CVEs affecting Webos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the smart TV system, allowing attackers to install malicious apps, access connected devices, intercept communications, and potentially pivot to other network devices.

🟠

Likely Case

Unauthorized account creation leading to privacy violations, unauthorized app installations, and potential access to streaming accounts or personal data stored on the TV.

🟢

If Mitigated

Limited impact if TV is isolated from internet and local network, though local attackers could still exploit if they have network access.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to the TV but no authentication. The secondscreen.gateway service is typically accessible on the local network.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Latest webOS firmware updates for affected models

Vendor Advisory: https://lgsecurity.lge.com/bulletins/tv#updateDetails

Restart Required: Yes

Instructions:

1. Navigate to TV Settings > All Settings > General > About This TV > Check for Updates. 2. Install any available updates. 3. Restart the TV after installation completes.

🔧 Temporary Workarounds

Disable secondscreen.gateway service

webOS

Disable the vulnerable service to prevent exploitation

Not applicable - requires TV developer mode access

Network isolation

all

Isolate TV on separate VLAN or network segment

🧯 If You Can't Patch

  • Disconnect TV from internet and local network when not in use
  • Place TV on isolated network segment with strict firewall rules

🔍 How to Verify

Check if Vulnerable:

Check TV model and webOS version in Settings > All Settings > General > About This TV

Check Version:

Not applicable - check via TV settings menu

Verify Fix Applied:

Verify webOS version is updated beyond vulnerable ranges listed in CVE

📡 Detection & Monitoring

Log Indicators:

  • Unexpected account creation events
  • Unauthorized access to secondscreen.gateway service

Network Indicators:

  • Unusual network traffic to TV on local network
  • Unexpected connections to secondscreen.gateway port

SIEM Query:

Not applicable for typical home environments

📊 Metadata

CVE ID: CVE-2023-6317
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-639
Published: April 9, 2024
Last Updated: February 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-6317, you might also want to check these:

CVE-2025-40805 10.0

This critical vulnerability allows unauthenticated remote attackers to bypass authentication on spec...

Same vulnerability type (CWE-639)
CVE-2024-45032 10.0

This critical vulnerability allows unauthenticated remote attackers to impersonate legitimate device...

Same vulnerability type (CWE-639)
CVE-2025-0987 9.9

CVE-2025-0987 is an authorization bypass vulnerability in CB Project Ltd. Co. CVLand software that a...

Same vulnerability type (CWE-639)