A critical vulnerability has been discovered in LG’s WebOS for smart TVs, allowing an attacker on the same local network to bypass authentication mechanisms and achieve full control over the device.
The flaw, which affects models like the LG WebOS 43UT8050, enables unauthenticated attackers to gain root access, install malicious applications, and completely compromise the television. The vulnerability was disclosed during the TyphoonPWN 2025 hacking competition, where it secured first place.
The attack chain begins with a flaw in the browser-service running on the TV. This service activates on port 18888 when a USB storage device is connected. It exposes an API endpoint, /getFile, intended to allow peer devices to download files from specific directories.
According to SSD-Disclosure, the vulnerability is due to a lack of proper input validation on the path parameter, the service is vulnerable to path traversal. This allows an attacker to request and download any file from the TV’s filesystem without needing to authenticate.
By exploiting this path traversal flaw, an attacker can access sensitive system files. The primary target is the database file located at /var/db/main/, which contains authentication keys for clients that have previously paired with the TV’s secondscreen.gateway service.
Armed with these keys, the attacker can impersonate a legitimate client and connect to the secondscreen service, bypassing all authentication checks. This grants them high-privilege access to the TV’s core functions.
From Vulnerability to Device Takeover
Once authenticated to the secondscreen service, the attacker has the privileges needed to enable developer mode on the device. From there, they can use developer tools to install any application, including malware designed to spy on the user, steal data, or use the TV as a bot in a larger network of compromised devices.
The proof-of-concept demonstrates how an attacker can leverage this access to execute arbitrary commands, effectively gaining root control and taking over the television.
The entire process can be automated with a simple script, allowing for rapid exploitation once initial access to the local network is gained.
In response to the disclosure, LG has released the security advisory SMR-SEP-2025 and urges users to ensure their devices are updated with the latest firmware to mitigate the threat.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
Source link
