The vulnerabilities in LG's webOS that let attackers take over the device affect both OLED and LCD models. LG has released new firmware to fix the identified vulnerabilities.
Update 14.4.2024: LG has provided the following statement: "Security being one of our highest priorities at LG, the necessary patches have already been completed in all countries. We can confirm all affected LG Smart TVs will no longer be at risk once the provided patches have been applied. We encourage all customers to apply the latest updates and advise they enable automatic software updates."
Update 12.4.2024: It has been confirmed that all LG TV models running the mentioned webOS versions are affected, meaning LG's entire TV line-up from 2019 onwards (via 4KFilme.de).
The severe security vulnerabilities, which relate to errors in the TVs' system to communicate with LG's ThinQ smartphone app, were discovered in November 2023 by Bitdefender and are being disclosed now as LG has patches ready, according to a report by Ars Technica.

- "We have found several issues affecting WebOS versions 4 through 7 running on LG TVs. These vulnerabilities let us gain root access on the TV after bypassing the authorization mechanism. Although the vulnerable service is intended for LAN access only, Shodan, the search engine for Internet-connected devices, identified over 91,000 devices that expose this service to the Internet," BitDefender said in a press release.


Affected devices
According to the report, over 91,000 LG TVs are affected and can be taken over by attackers to be misused as a botnet or possibly used to gain access to paid accounts or apps.

The vulnerable LG TVs are placed around the world, including Asia, Europe and Americas, and span multiple generations of LG OLED and LCD TVs.

The following webOS versions were identified to be affected:
webOS 4.9.7 - 5.30.40 (LG models from 2019)
webOS 5.5.0 - 04.50.51 (LG models from 2020)
webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 (LG models from 2021)
webOS 7.3.1-43 (mullet-mebin) - 03.33.85 (LG models from 2022)

Update: All LG TV models running these webOS versions are affected.


 Regardless of whether webOS in your LG TV looks like the left example (webOS 5) or right example (webOS 6) you should update or disconnect
Update or disconnect your TV
For a decade, LG has refused to upgrade the webOS version in its TVs but the company has provided regular security updates. Still, the severe security issues could likely have been avoided had LG provided webOS version upgrades, as the issues have not been identified in newer webOS versions.

LG released security patches for the affected models this Wednesday so check your TV's built-in update menu (under Settings -> Support) or refer to LG's support page in your local country where firmware updates can be downloaded onto a USB stick and installed via the TV's USB port.

Alternatively, you can disconnect your LG TV entirely from your home network and use an external media player such as Apple TV 4K. You can control it with both LG's remote and Apple's remote.

More details about the vulnerabilities can be found in Bitdefender's press release here.

- Source: Bitdefender via Ars Technica