More Than 91,000 LG Smart TVs Open To Remote Attack

Giulio Saggin
Giulio Saggin
Wednesday 10 April 2024
More Than 91,000 LG Smart TVs Open To Remote Attack

It's been revealed that more than 91,000 LG smart TVs can be accessed by vulnerabilities that allow attackers to bypass authorisation and control the affected TV.

Researchers at Bitdefender discovered the four vulnerabilities, which affect WebOS versions 4 - 7:

- CVE-2023-6317 lets an attacker bypass the authorization mechanism in WebOS versions 4 through 7, set a variable and add an extra user to the TV.

- CVE-2023-6318 lets attackers elevate the access they gained in the first step (above) to root and fully take over the TV.

- CVE-2023-6319 manipulates a library responsible with showing music lyrics and allows operating system command injection.

- CVE-2023-6320 manipulates the com.webos.service.connectionmanager/tv/setVlanStaticAddress API endpoint and lets an attacker inject authenticated commands.

The last three of the above all have a "critical" CVSS of 9.1.

Vulnerable OS versions: webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA webOS 5.5.0 - 04.50.51 running on OLED55CXPUA webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA

Bitdefender reported the flaws to LG on November 1, 2023, and asked for an extension in mid-December, 2023, to fix them. The electronics giant released patches on March 22, 2024. It's recommended that you apply the WebOS patch asap.

The full findings can be found in THIS Bitdefender blog post.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.


SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203