CVE-2025-55971 is a Server-Side Request Forgery (SSRF) vulnerability affecting the TCL 65C655 Smart TV running a specific firmware version (V8-R75PT01-LF1V269.001116) based on Android TV with Linux Kernel 5.4.242+. The vulnerability resides in the UPnP MediaRenderer service (AVTransport:1), which listens on TCP port 16398 and accepts unauthenticated SOAP requests, specifically the SetAVTransportURI command. This command allows the device to fetch external URIs, and due to insufficient validation, an attacker can supply arbitrary URIs. The SSRF is blind, meaning the attacker does not receive direct responses from the targeted internal or external services but can still induce the TV to send requests on their behalf. This can be exploited to scan internal networks (e.g., localhost or LAN services) or external internet resources accessible from the TV's network environment. Such probing can reveal internal services, potentially leading to further exploitation or lateral movement within a victim's network. Although no known exploits are currently reported in the wild, the vulnerability's unauthenticated nature and the ability to reach internal network segments make it a significant risk. The absence of a CVSS score indicates it is a newly published issue, and no patches or mitigations have been officially released yet.

For European organizations, the impact of this vulnerability could be substantial, especially in environments where TCL Smart TVs are deployed in corporate meeting rooms, public spaces, or even employee work areas connected to internal networks. The SSRF vulnerability can be leveraged by attackers to bypass perimeter defenses and access internal services that are otherwise not exposed externally. This could lead to reconnaissance of internal infrastructure, identification of vulnerable services, and potentially facilitate more severe attacks such as privilege escalation, data exfiltration, or lateral movement within the network. Given the ubiquity of smart devices in modern workplaces, this vulnerability increases the attack surface and could compromise confidentiality and integrity of sensitive information. Additionally, if exploited in environments with critical infrastructure or sensitive data, the availability of services could also be impacted indirectly through chained attacks. The unauthenticated nature of the vulnerability lowers the barrier for attackers, increasing the likelihood of exploitation in poorly segmented or monitored networks.

To mitigate this vulnerability, European organizations should first identify all TCL 65C655 Smart TVs running the affected firmware version within their networks. Network segmentation should be enforced to isolate smart TVs from critical internal systems and sensitive data repositories. Specifically, restrict the TVs' network access to only necessary external services and block access to internal management interfaces or localhost addresses via firewall rules or network access control lists. Disable or restrict UPnP services on these devices if possible, or configure the devices to reject unauthenticated SOAP requests on port 16398. Monitoring network traffic for unusual outbound requests originating from smart TVs can help detect exploitation attempts. Until an official patch is released, organizations should consider applying compensating controls such as network-level filtering, device hardening, and limiting physical and network access to the affected devices. Vendor engagement is recommended to obtain firmware updates or official guidance. Additionally, security teams should educate users about the risks of connecting smart devices to sensitive networks and implement strict device onboarding policies.