TCL Smart TV Server-Side Request Forgery Vulnerability via UPnP MediaRenderer Service

A blind, unauthenticated Server-Side Request Forgery (SSRF) vulnerability has been identified in the TCL 65C655 Smart TV, running firmware version V8-R75PT01-LF1V269.001116. This vulnerability arises within the UPnP MediaRenderer service (AVTransport:1), where the device accepts unauthenticated SetAVTransportURI SOAP requests over TCP port 16398. The TV attempts to retrieve externally referenced URIs, including those controlled by an attacker. This blind SSRF allows the TV to send requests on behalf of the device to internal or external services, potentially probing for accessible services or targets that could be exploited further.

Impact

Exploitation of this vulnerability could allow an attacker to send requests from the TV to internal or external services, probing for additional vulnerabilities or accessible resources that could be exploited.