CVE-2025-55971 – This CVE describes a blind Server-Side Request ... (How to Fix)

Q: What is the severity of CVE-2025-55971?

CVE-2025-55971 has a CVSS score of 4.7 (MEDIUM). This CVE describes a blind Server-Side Request Forgery (SSRF) vulnerability in TCL 65C655 Smart TVs that allows unauthenticated attackers to make the TV send HTTP requests to arbitrary internal or external targets. Attackers can use this to probe for other vulnerable services accessible from the TV's network position. All users of the affected TCL Smart TV model with vulnerable firmware are at risk.

📋 TL;DR

This CVE describes a blind Server-Side Request Forgery (SSRF) vulnerability in TCL 65C655 Smart TVs that allows unauthenticated attackers to make the TV send HTTP requests to arbitrary internal or external targets. Attackers can use this to probe for other vulnerable services accessible from the TV's network position. All users of the affected TCL Smart TV model with vulnerable firmware are at risk.

💻 Affected Systems

Products:

TCL 65C655 Smart TV

Versions: Firmware version V8-R75PT01-LF1V269.001116

Operating Systems: Android TV with Kernel 5.4.242+

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the UPnP MediaRenderer service (AVTransport:1) which is enabled by default for DLNA functionality.

📦 What is this software?

65c655 Firmware by Tcl

View all CVEs affecting 65c655 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could chain this SSRF with other vulnerabilities to achieve remote code execution, access internal network services, or perform reconnaissance for further attacks.

🟠

Likely Case

Attackers will use the TV to scan internal networks for other vulnerable devices or services, potentially discovering additional attack vectors.

🟢

If Mitigated

With proper network segmentation and firewall rules, the impact is limited to the TV itself making outbound requests without exposing additional attack surfaces.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted SOAP requests to TCP port 16398. Public proof-of-concept code and demonstration videos are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

Check for firmware updates through the TV's settings menu under System > About > System update. If no patch is available, apply workarounds.

🔧 Temporary Workarounds

Block UPnP Service Port

linux

Block incoming connections to TCP port 16398 on the TV using network firewall rules.

iptables -A INPUT -p tcp --dport 16398 -j DROP

Disable UPnP/DLNA Services

all

Turn off UPnP and DLNA services in the TV settings if not needed.

🧯 If You Can't Patch

Segment the TV on a separate VLAN or network segment to limit its access to other devices.
Implement egress filtering to restrict the TV's outbound connections to only necessary destinations.

🔍 How to Verify

Check if Vulnerable:

Send a crafted SetAVTransportURI SOAP request to the TV's IP on port 16398 and monitor for outbound requests to a controlled server.

Check Version:

Check TV settings: System > About > Build number

Verify Fix Applied:

Test if the TV still processes SetAVTransportURI requests after applying firewall rules or disabling services.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from TV to internal or external IPs
Failed connection attempts from TV to unusual ports

Network Indicators:

TCP connections from TV to port 16398
SOAP requests with SetAVTransportURI action to TV

SIEM Query:

source_ip="TV_IP" AND (dest_port=16398 OR (http_user_agent LIKE "%UPnP%" AND dest_port IN [80,443,8080]))

📊 Metadata

CVE ID: CVE-2025-55971

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

CWE: CWE-918

EPSS Score: 0.05% exploit probability (15.6th percentile)

Published: October 3, 2025

Last Updated: October 15, 2025

🔗 References

https://github.com/Szym0n13k/CVE-2025-55971-Blind-Unauthenticated-SSRF-in-TCL-Smart-TV-UPnP-DLNA-AVTransport Third Party Advisory
https://www.youtube.com/watch?v=FeNLGR_xFIA Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-55971, you might also want to check these: