CVE-2021-44394

Vulnerability

CVE-2021-44394 is one of a series of denial of service vulnerabilities affecting the cgiserver.cgi JSON command parser in Reolink RLC-410W firmware version v3.0.0.136_20121102. The parser improperly validates certain JSON inputs, as described in CWE-20 (Improper Input Validation) [1]. This flaw exists in an API intended for administrator use but is reachable without authentication, leading to process termination and device reboot.

Exploitation

An attacker can exploit this vulnerability remotely over the network without any authentication or user interaction. By sending a specially-crafted HTTP request containing malformed JSON data to the cgiserver.cgi endpoint, the attacker triggers the input validation error. The request can be sent from any network position that can reach the camera's web interface.

Impact

Successful exploitation causes the cgiserver.cgi process to terminate, resulting in an immediate reboot of the device [1]. This leads to a complete denial of service (availability impact). The attack has no impact on confidentiality or integrity. According to the CVSS v3.0 score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H), the impact is confined to availability, but the attack is remotely exploitable with no privileges required.

Mitigation

As of the publication date (April 14, 2022), Reolink has not released a firmware update addressing these vulnerabilities [1]. The affected firmware version v3.0.0.136_20121102 remains the latest. Until a patch is available, users can mitigate risk by restricting network access to the camera's web interface using firewall rules or VLAN isolation, and by ensuring the camera is not exposed to the public internet.