CVE-2021-44377

Vulnerability

The cgiserver.cgi JSON command parser of the Reolink RLC-410W camera (version 3.0.0.136_20121102) does not properly validate the SetImage parameter when processing HTTP requests. The JSON parser expects an object but does not enforce this constraint, leading to improper input validation (CWE-20). This flaw allows an attacker to send a specially-crafted HTTP request that contains a malformed SetImage value, causing the cgiserver.cgi process to crash and the device to reboot.[1]

Exploitation

An attacker can exploit this vulnerability by sending an HTTP request to the camera's web server that includes a JSON body with the SetImage parameter set to a non-object type (e.g., a string or number). The request does not require any authentication or special network position, as the vulnerable API is accessible without credentials. No user interaction is needed. The software's JSON parser will fail to handle the unexpected data type, leading to a process crash and immediate system reboot.[1]

Impact

Successful exploitation results in a denial of service (availability impact) as the camera reboots, causing temporary loss of surveillance functionality. The impact is limited to availability; there is no evidence of data compromise or privilege escalation. The camera reboots within seconds of the malformed request, and normal operation resumes after the boot cycle completes.[1]

Mitigation

As of the publication date (2022-01-28), no firmware update has been released to address this vulnerability. The affected version is Reolink RLC-410W v3.0.0.136_20121102. Users should monitor vendor advisories for future patches. Until a fix is available, network segmentation or firewall rules to restrict unauthorized access to the camera's HTTP interface may reduce exposure. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.[1]