CVE-2021-40415

Vulnerability

The Reolink RLC-410W WiFi camera firmware version v3.0.0.136_20121102 contains an incorrect default permission vulnerability in the cgiserver.cgi cgi_check_ability function. When handling the Format API, the permission check does not have a specific case, causing the user permission to default to 7 (all bits set: G, S, A). This grants full access to the Format API for any authenticated user, regardless of their assigned role. [1]

Exploitation

An attacker needs only a valid user session on the camera (non-administrative credentials are sufficient). By sending a specially-crafted HTTP request to the Format API endpoint, the attacker can trigger the format operation. No additional privileges or user interaction beyond authentication are required. [1]

Impact

Successful exploitation allows the attacker to format the SD card and reboot the device, resulting in denial of service (loss of recorded footage and temporary device unavailability). The CVSSv3 score is 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H). [1]

Mitigation

As of the publication date (2022-01-28), no firmware update has been released to address this vulnerability. Users should restrict network access to the camera and ensure only trusted users have credentials. The vendor has not provided a patch; the device may be end-of-life. [1]