ReolinkCVEs & Vulnerabilities

106 CVEs affecting Reolink products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

rlc-410w firmware 88rlc-410w 88reolink 11smart 2k\+ plug-in wi-fi video doorbell with chime firmware 3smart 2k\+ plug-in wi-fi video doorbell with chime 3e1 zoom firmware 2e1 zoom 2rlc-410 2
CVE-2021-40413HIGH

An incorrect default permission vulnerability exists in the cgiserver.cgi cgi_check_ability functionality of reolink RLC-410W v3.0.0.136_20121102. The UpgradePrepare is the API that checks if a provided filename identifies a new version of the RLC-410W firmware. If the version is new, it would be possible, allegedly, to later on perform the Upgrade. An attacker can send an HTTP request to trigger this vulnerability.

28 Jan 2022
7.1
CVSS
CVE-2021-40412HIGH

An OScommand injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [8] the devname variable, that has the value of the name parameter provided through the SetDevName API, is not validated properly. This would lead to an OS command injection.

28 Jan 2022
7.2
CVSS
CVE-2021-40411HIGH

An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [6] the dns_data->dns2 variable, that has the value of the dns2 parameter provided through the SetLocalLink API, is not validated properly. This would lead to an OS command injection.

28 Jan 2022
7.2
CVSS
CVE-2021-40410HIGH

An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [4] the dns_data->dns1 variable, that has the value of the dns1 parameter provided through the SetLocal API, is not validated properly. This would lead to an OS command injection.

28 Jan 2022
7.2
CVSS
CVE-2021-40409CRITICAL

An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->password variable, that has the value of the password parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection.

28 Jan 2022
9.8
CVSS
CVE-2021-40408CRITICAL

An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->username variable, that has the value of the userName parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection.

28 Jan 2022
9.8
CVSS
CVE-2021-40406HIGH

A denial of service vulnerability exists in the cgiserver.cgi session creation functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to prevent users from logging in. An attacker can send an HTTP request to trigger this vulnerability.

28 Jan 2022
7.5
CVSS
CVE-2021-40404MEDIUM

An authentication bypass vulnerability exists in the cgiserver.cgi Login functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to authentication bypass. An attacker can send an HTTP request to trigger this vulnerability.

28 Jan 2022
6.5
CVSS
CVE-2020-25173HIGH

An attacker with local network access can obtain a fixed cryptography key which may allow for further compromise of Reolink P2P cameras outside of local network access

26 Jan 2021
7.8
CVSS
CVE-2020-25169HIGH

The affected Reolink P2P products do not sufficiently protect data transferred between the local device and Reolink servers. This can allow an attacker to access sensitive information, such as camera feeds.

26 Jan 2021
7.5
CVSS
← PrevPage 3 / 3Next →