CVE-2023-6319 is an authenticated OS command injection vulnerability in the getAudioMetadata method of the com.webos.service.attachedstoragemanager service on LG webOS TV versions 4 through 7. According to the provided content, the vulnerable code path is reached during audio metadata and lyric file processing: when an .mp3 file and a matching .lrc lyrics file are present, and the .lrc file begins with the bytes \xFF\xFE\x00\x00, the service invokes the iconv binary using an unsanitized filename. Because attacker-controlled input is incorporated into a system command without proper sanitization, specially crafted requests can trigger arbitrary command execution. The issue was reported as affecting webOS 4.9.7, 5.5.0, 6.3.3-442, and 7.3.1-43 on tested LG TV models.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains a Python exploit script ('rootmytv.py') targeting LG webOS TVs vulnerable to CVE-2023-6319. The exploit works by running a local HTTP server on the attacker's machine (port 8089) and using the webOS TV's download manager to fetch files with specially crafted filenames from this server. These filenames are constructed to inject a command that starts the telnet daemon ('telnetd') on the TV, granting root access via telnet (port 23). The script interacts with the TV over the network using the bscpylgtv library, and requires the attacker to know both their own LAN IP and the TV's IP. The README provides clear instructions and lists tested TV models and firmware versions. The exploit is operational and provides a root shell on the TV if successful. No hardcoded IPs or domains are present, but the script dynamically uses user-supplied or autodetected LAN IPs for payload delivery. The repository is well-structured, with a single main exploit script, a requirements file, and documentation.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An authenticated command injection vulnerability in the getAudioMetadata method of LG webOS TV allows attackers to execute arbitrary commands by manipulating music lyric files.
An authenticated command injection vulnerability in the getAudioMetadata method of LG webOS TV allows attackers to execute arbitrary commands by manipulating music lyric files.
An authenticated OS command injection vulnerability in the getAudioMetadata path involving lyric file processing, allowing command execution via unsanitized filename handling in affected LG webOS TVs.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.