CVE-2021-44370

Vulnerability

The vulnerability resides in the JSON command parser of cgiserver.cgi on Reolink RLC-410W firmware version v3.0.0.136_20121102. The SetFtp parameter is expected to be a JSON object, but the parser does not validate its type. When a non-object value (e.g., a string or integer) is supplied, the parser crashes, terminating the cgiserver.cgi process and triggering an immediate device reboot. No authentication is required to reach this code path [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the camera's web interface. The request must include a JSON payload where the SetFtp parameter is set to a non-object type. No prior authentication or user interaction is needed. The malformed input causes the parser to mishandle the data, killing the cgiserver.cgi process and forcing a reboot [1].

Impact

Successful exploitation results in a denial of service (DoS) condition: the camera reboots, interrupting video recording, motion detection, and network connectivity. The impact is limited to availability; no data confidentiality or integrity is compromised. The device remains unavailable until the reboot cycle completes [1].

Mitigation

As of the publication date (2022-01-28), no firmware update has been released to address this vulnerability. Users should monitor Reolink's official support channels for a patched version. Until a fix is available, restricting network access to the camera's web interface (e.g., via firewall rules or VLAN segmentation) can reduce exposure. The camera is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].