CVE-2021-44382

Vulnerability

A denial of service vulnerability exists in the JSON command parser functionality of cgiserver.cgi in reolink RLC-410W firmware version 3.0.0.136_20121102. The bug is triggered when the SetIrLights parameter is provided with a value that is not an object, causing improper input validation (CWE-20). The code path is reachable without authentication over the network [1].

Exploitation

An attacker does not require any prior authentication or special network position beyond network access to the camera's web interface. By sending an HTTP request with a malformed SetIrLights parameter (e.g., a string or number instead of the expected object), the cgiserver.cgi process crashes, which in turn triggers a full device reboot [1].

Impact

Successful exploitation causes the camera to reboot, resulting in a temporary loss of surveillance and recording capabilities. This is a denial of service (availability impact) with no compromise of confidentiality or integrity. The CVSSv3 score is 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) [1].

Mitigation

As of the publication date (2022-01-28), the vulnerability is confirmed in firmware version 3.0.0.136_20121102. No firmware update or patch has been announced in the available references [1]. Users should monitor the vendor's official support channels for future updates and consider network-level access controls (e.g., restricting the camera's web interface to trusted networks) as a workaround.