CVE-2021-44372

Vulnerability

CVE-2021-44372 is a denial of service vulnerability in the cgiserver.cgi JSON command parser of the Reolink RLC-410W wireless security camera running firmware version v3.0.0.136_20121102 [1]. The flaw resides in the parsing of the SetLocalLink parameter, which is expected to be an object but can be sent as a non-object type. This improper input validation (CWE-20) leads to the crash of the cgiserver.cgi process, resulting in an immediate reboot of the device [1]. The vulnerability is reachable without any authentication [1].

Exploitation

An attacker can exploit this vulnerability by sending an unauthenticated HTTP request to the camera's web interface. The request must include a crafted JSON payload where the SetLocalLink parameter is not an object (e.g., a string or integer). No prior authentication or user interaction is required, and the attack can be mounted from any network position that can reach the camera's HTTP service [1].

Impact

Successful exploitation causes the cgiserver.cgi process to terminate, which triggers a full reboot of the camera. This results in a denial of service, as the camera becomes temporarily unavailable for monitoring or recording functions [1]. The availability impact is high, while confidentiality and integrity are not affected. The CVSSv3 base score is 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) [1].

Mitigation

As of the publication date (January 28, 2022), no patched firmware version was released [1]. Users are advised to restrict network access to the camera's HTTP interface (e.g., by placing it behind a firewall or VPN) until an update is available. The vendor has not indicated an end-of-life status for this model. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.