LG fixes webOS security flaws that could let attackers remotely gain root access

The vulnerabilities could have allowed attackers to remotely gain access to users' TVs.
Written by Artie Beaty, Contributing Writer
LG C2 OLED 4K WebOS smart TV

A recent update from LG has revealed security vulnerabilities present in webOS-enabled smart TVs. The exploits, which were first discovered by Romanian cybersecurity firm Bitdefender, could have been exploited to give an attacker remote root access to users' TVs.

The four vulnerabilities, which LG says the company fixed on March 22, 2024, were first discovered in 2023. They affected the following webOS builds and TV models:

  • webOS 6.3.3-442 - 03.36.50 running on OLED48C1PUB

  • webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA

  • webOS 7.3.1-43 - 03.33.85 running on OLED55A23LA

  • webOS 5.5.0 - 04.50.51 running on OLED55CXPUA

Bitdefender described two of the vulnerabilities: CVE-2023-6317 could let an attacker bypass PIN verification and add a privileged user profile to the TV without requiring user interaction while CVE-2023-6318 could let a potential attacker elevate their own privileges and gain root access to take control of the device.

Also: LG vs Samsung TV: Which brand should you buy in 2024?

"We have found several issues affecting WebOS versions 4 through 7 running on LG TVs," Bitdefender explained. "These vulnerabilities let us gain root access on the TV after bypassing the authorization mechanism. Although the vulnerable service is intended for LAN access only, Shodan, the search engine for Internet-connected devices, identified over 91,000 devices that expose this service to the Internet."

The majority of affected devices are in South Korea, Hong Kong, and the US. You can find out what webOS version your TV is running by going to Settings, opening General, then "TV information," and finally hitting "webOS TV version." Following the same process but stopping at TV information will show you your TV set's model number.

Editorial standards