CVE-2021-44410

Vulnerability

The vulnerability exists in the cgiserver.cgi JSON command parser of Reolink RLC-410W firmware version v3.0.0.136_20121102. A specially-crafted HTTP request where the UpgradePrepare parameter is not an object can cause the cgiserver.cgi process to terminate, leading to a device reboot. This issue is classified as CWE-20 (Improper Input Validation) [1].

Exploitation

An attacker can send an HTTP request to the device without requiring any authentication or user interaction. The attack is network-based, over the LAN or WAN if the device is exposed. By crafting the request so that the UpgradePrepare JSON parameter is not an object (e.g., a string or number) instead of the expected object type, the parser enters an error state that kills the process [1].

Impact

Successful exploitation causes the cgiserver.cgi process to terminate, which triggers an immediate reboot of the device. This results in a denial of service (availability impact). The CVSSv3 score is 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H), indicating high severity with no confidentiality or integrity impact [1].

Mitigation

As of the available reference, no patched firmware version has been released. Reolink has been notified but the timeline for a fix is unknown. Users should consider network-level protections, such as restricting HTTP access to the camera from trusted networks only, until an update is provided [1].