CVE-2021-44395

Vulnerability

The vulnerability resides in the cgiserver.cgi JSON command parser of the Reolink RLC-410W WiFi security camera, specifically in the handling of the GetMask parameter. Improper input validation (CWE-20) allows an attacker to send a specially-crafted HTTP request that kills the cgiserver.cgi process, triggering a device reboot. The affected firmware version is v3.0.0.136_20121102 [1].

Exploitation

An unauthenticated attacker can exploit this flaw by sending a malicious HTTP request to the camera's web interface. No prior authentication or user interaction is required. The request must include a GetMask parameter that is not an object, causing the JSON parser to fail and crash the process, leading to an immediate reboot [1].

Impact

Successful exploitation results in a denial of service: the camera reboots and becomes temporarily unavailable. There is no impact on confidentiality or integrity; only availability is affected. The CVSSv3 score is 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) [1].

Mitigation

As of the publication date, no official fix or workaround has been disclosed in the available references [1]. Users should monitor vendor advisories for updated firmware and consider network-level access controls to limit exposure until a patch is released.