Critical Flaw Discovered in LG Smart TVs
Researchers at TyphoonPWN, participating in the TyphoonPWN 2025 contest, uncovered a critical flaw in LG WebOS firmware that permits total takeover of a television — from unauthorized file downloads to webcam access, application installation, and enabling developer mode. The vulnerability was reported to the vendor, which issued bulletin SMR-SEP-2025. The disclosed exploit chain exposes a sequence of weaknesses in the browser service and the secondscreen.gateway component.
The root cause lies in the WebOS browser service opening port 18888 when a USB drive is attached and exposing an API endpoint /getFile?path=…. This endpoint serves directory contents under /tmp/usb and /tmp/home.office.documentviewer, but it fails to properly validate the path parameter. An attacker can therefore mount a path-traversal attack to read arbitrary files from the device filesystem — including the database of client keys. Compromised keys allow adversaries to bypass secondscreen.gateway authentication and assume the privileges ordinarily reserved for trusted clients.
Possession of those keys enables more than mere exfiltration. Via secondscreen, an attacker can activate developer mode, trigger the download of an IPK package to the TV’s internal storage, and invoke the application-installer service to deploy malicious software. Such a payload can spawn a reverse shell, establish persistent access and survive reboots. The researchers supplied a practical PoC, detailing command sequences and payload templates that validate the scenario on a local network.
LG has published a security bulletin and is preparing a patch; manufacturers and administrators are urged to apply the official update promptly and to restrict network access to affected devices. End users should temporarily disable automatic USB file sharing and ensure televisions reside on secured, isolated LAN segments inaccessible to unknown devices. For forensic and hardening checks, review open ports and examine access logs for /tmp and /var/db, and remove any previously attached, untrusted storage devices.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
