CVE-2021-44366

Vulnerability

Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W firmware version v3.0.0.136_20121102. A specially-crafted HTTP request that exploits an improper input validation (CWE-20) can lead to killing the cgiserver.cgi process, triggering a device reboot [1].

Exploitation

An attacker can send an HTTP request to the camera without requiring any authentication, prior network access, or user interaction. The request targets the cgiserver.cgi endpoint and contains a malformed JSON payload that is not properly validated, causing the process to terminate [1].

Impact

Successful exploitation results in a denial of service condition, forcing the camera to reboot. This disrupts the device's normal operation, including video recording and network accessibility, until the reboot completes. The impact is limited to availability; no data integrity or confidentiality breaches have been reported [1].

Mitigation

As of the publication date (2022-04-14), no firmware update or vendor-supplied fix is available in the references. Users should monitor the vendor for patches and consider network segmentation or firewall rules to limit exposure of the device's management interface to untrusted networks [1].