CVE-2021-40419

Vulnerability

The Reolink RLC-410W security camera firmware version v3.0.0.136_20121102 contains a leftover debug binary called factory that listens on UDP port 2009. This service accepts arbitrary firmware uploads without authentication, as described in Talos advisory TALOS-2021-1428 [1]. The vulnerable binary is left from development and exposes critical functionality including firmware update and factory reset.

Exploitation

An attacker with network access to the camera can send a series of specially-crafted UDP packets to port 2009. The wait_for_connection function in the factory binary processes these packets: if a packet with a magic value 0xfafafa is received, the source IP is recorded and the function returns, triggering the firmware update process. No authentication or prior knowledge is required; the attacker only needs to be able to reach the camera on the network [1].

Impact

Successful exploitation allows arbitrary firmware to be installed on the device. This gives the attacker full control over the camera, enabling complete compromise of confidentiality, integrity, and availability (CIA). The CVSSv3 score is 10.0 (Critical) due to network-based, unauthenticated access with no user interaction and a scope change [1].

Mitigation

As of the publication date (2022-01-28), no fixed firmware version has been disclosed for the RLC-410W. Users should isolate affected cameras on a separate VLAN and restrict UDP port 2009 access at the network perimeter. The vulnerability is listed as CWE-489 (Leftover Debug Code). No workaround within the camera itself exists; a vendor firmware update is required [1].