CVE-2021-44358

Vulnerability

The denial of service vulnerability exists in the cgiserver.cgi JSON command parser of the reolink RLC-410W wireless security camera (firmware version 3.0.0.136_20121102). The SetRec parameter is not validated as an object, allowing improper input that crashes the parser and triggers a reboot [1]. This is classified as CWE-20: Improper Input Validation [1]. No authentication is required to reach the vulnerable code path.

Exploitation

An attacker can exploit this vulnerability by sending a specially-crafted HTTP request to the device from any network position with network access to the camera's web interface. No authentication is required, and no user interaction is needed. The request must include a malformed SetRec parameter that is not an object, causing the parser to fail and subsequently restart the device [1].

Impact

Successful exploitation results in a denial of service condition through an immediate device reboot. The attacker gains no code execution, data access, or persistent control; the impact is limited to temporary disruption of the camera's operation. The CVSSv3 score is 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) [1], reflecting high availability impact with no confidentiality or integrity compromise.

Mitigation

As of the publication date (January 28, 2022), reolink released no publicly available fix for this vulnerability. The affected firmware version is 3.0.0.136_20121102. Users should monitor the vendor's advisory channels for an update. No workaround is disclosed in the available references [1].