CVE-2021-44397

Vulnerability

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of Reolink RLC-410W firmware version 3.0.0.136_20121102. The parser fails to properly validate the rtmp=start parameter when it is not an object, leading to a crash of the cgiserver.cgi process. The vulnerability is classified as CWE-20 (Improper Input Validation) [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially-crafted HTTP request to the camera's web interface. No authentication is required, and the attacker does not need any prior knowledge of the device beyond network access. The crafted request causes the cgiserver.cgi process to terminate, resulting in a system reboot [1].

Impact

Successful exploitation leads to a denial of service condition where the device becomes unresponsive and reboots. This disrupts the camera's surveillance functionality until the reboot completes. The impact is limited to availability; no data confidentiality or integrity is compromised [1].

Mitigation

As of the publication date, no firmware update fixing this vulnerability has been released for the Reolink RLC-410W. Users should monitor the vendor's support channels for updates and consider network-level access controls (e.g., firewall rules) to restrict exposure of the camera's web interface to trusted networks only. The device is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing [1].