VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 28, 2022· Updated Apr 15, 2025

CVE-2021-40408

CVE-2021-40408

Description

An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->username variable, that has the value of the userName parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OS command injection in Reolink RLC-410W DDNS settings allows authenticated remote attackers to execute arbitrary commands.

Vulnerability

An OS command injection vulnerability exists in the device network settings functionality of Reolink RLC-410W v3.0.0.136_20121102. The SetDdns API does not properly validate the userName parameter, which is used in shell commands to apply DDNS configuration. This allows an attacker to inject arbitrary commands via a specially crafted HTTP request [1].

Exploitation

An attacker must have network access and valid credentials to the camera's privileged APIs (CVSSv3 privileges required: High). By sending a malicious userName value in the SetDdns request, the unsanitized input is later used in an OS command, leading to command execution [1].

Impact

Successful exploitation results in arbitrary OS command execution with root privileges. This can lead to full compromise of the device, including unauthorized access, data exfiltration, and denial of service. The CVSSv3 score is 9.1 (Critical) [1].

Mitigation

As of the publication date (2022-01-28), no official patch or updated firmware has been released. Users should restrict network access to the camera's API, change default credentials, and monitor for future updates from Reolink. The device is not known to be in the CISA KEV catalog.

References
  1. TALOS-2021-1424 || Cisco Talos Intelligence Group

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • reolink/RLC-410Wdescription
  • Reolink/RLC-410Wllm-fuzzy
    Range: = 3.0.0.136_20121102

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.