CVE-2019-11001
published 2019-04-08CVE-2019-11001: On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W devices through 1.0.227, an authenticated admin can use the "TestEmail" functionality to inject and…
PriorityP180high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-01-08
Exploited in the wild
EPSS
38.37%
98.4th percentile
On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W devices through 1.0.227, an authenticated admin can use the "TestEmail" functionality to inject and run OS commands as root, as demonstrated by shell metacharacters in the addr1 field.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| reolink | c1_pro_firmware | <= 1.0.227 | — |
| reolink | c2_pro_firmware | <= 1.0.227 | — |
| reolink | rlc-410w_firmware | <= 1.0.227 | — |
| reolink | rlc-422w_firmware | <= 1.0.227 | — |
| reolink | rlc-511w_firmware | <= 1.0.227 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/cgi-bin/api.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera TestEmail Authenticated Command Injection Attempt (CVE-2019-11001)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/api.cgi|3f|cmd|3d|TestEmail"; fast_pattern; startswith; http.request_body; content:"|22|cmd|22|"; content:"|22|TestEmail|22 2c|"; within:20; content:"|22|addr"; distance:0; pcre:"/^[1-3]\x22\x3a[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/advisories/GHSA-73c7-5g37-cmq7; reference:url,github.com/mcw0/PoC/blob/master/Reolink-IPC-RCE.py; reference:cve,2019-11001; classtype:attempted-admin; sid:2059683; rev:1;)
- →Exploit targets HTTP POST requests to /cgi-bin/api.cgi?cmd=TestEmail; inspect request body for the 'addr' field (addr1, addr2, addr3) containing shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24) ↗
- →Request body must contain the JSON key 'cmd' with value 'TestEmail' followed within 20 bytes by the 'addr' field — use this sequence as a fast-pattern anchor for the injection attempt
- →Exploitation requires authenticated admin session; monitor for admin-authenticated sessions issuing TestEmail API calls, especially from unexpected source IPs ↗
- →PoC script publicly available at github.com/mcw0/PoC/blob/master/Reolink-IPC-RCE.py — traffic patterns from this script can be used to build behavioral baselines
- ·Exploitation requires prior authentication as admin; unauthenticated access alone is insufficient to trigger the vulnerability ↗
- ·Affected devices (RLC-410W, C1 Pro, C2 Pro, RLC-422W, RLC-511W through firmware 1.0.227) may be EoL/EoS with no available patch; CISA recommends discontinuing use if no mitigation exists ↗
- ·The Snort/ET rule (sid:2059683) is scoped to plaintext HTTP traffic only (tls_state plaintext); HTTPS-wrapped management interfaces will not be detected by this rule
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-73c7-5g37-cmq7: On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W devices through 1
ghsa_unreviewed·2022-05-14
CVE-2019-11001 [HIGH] CWE-78 GHSA-73c7-5g37-cmq7: On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W devices through 1
On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W devices through 1.0.227, an authenticated admin can use the "TestEmail" functionality to inject and run OS commands as root, as demonstrated by shell metacharacters in the addr1 field.
VulnCheck
Reolink Multiple IP Cameras OS Command Injection Vulnerability
vulncheck·2019·CVSS 7.2
CVE-2019-11001 [HIGH] CWE-78 Reolink Multiple IP Cameras OS Command Injection Vulnerability
Reolink Multiple IP Cameras OS Command Injection Vulnerability
Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W IP cameras contain an authenticated OS command injection vulnerability. This vulnerability allows an authenticated admin to use the "TestEmail" functionality to inject and run OS commands as root.
Affected: Reolink Multiple IP Cameras
Required Action: The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization if a current mitigation is unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2025-01-08
CISA
Reolink Multiple IP Cameras OS Command Injection Vulnerability
cisa·2024-12-18·CVSS 7.2
CVE-2019-11001 [HIGH] CWE-78 Reolink Multiple IP Cameras OS Command Injection Vulnerability
Vulnerability: Reolink Multiple IP Cameras OS Command Injection Vulnerability
Affected: Reolink Multiple IP Cameras
Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W IP cameras contain an authenticated OS command injection vulnerability. This vulnerability allows an authenticated admin to use the "TestEmail" functionality to inject and run OS commands as root.
Required Action: The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization if a current mitigation is unavailable.
Notes: https://reolink.com/product-eol/ ; https://reolink.com/download-center/ ; https://nvd.nist.gov/vuln/detail/CVE-2019-11001
Remediation Due Date: 2025-01-08
Suricata
ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera TestEmail Authenticated Command Injection Attempt (CVE-2019-11001)
suricata·2025-01-27·CVSS 7.2
CVE-2019-11001 [HIGH] ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera TestEmail Authenticated Command Injection Attempt (CVE-2019-11001)
ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera TestEmail Authenticated Command Injection Attempt (CVE-2019-11001)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera TestEmail Authenticated Command Injection Attempt (CVE-2019-11001)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/api.cgi|3f|cmd|3d|TestEmail"; fast_pattern; startswith; http.request_body; content:"|22|cmd|22|"; content:"|22|TestEmail|22 2c|"; within:20; content:"|22|addr"; distance:0; pcre:"/^[1-3]\x22\x3a[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/advisories/GHSA-73c7-5g37-cmq7; reference:url,github.com/mcw0/PoC/blob/master/Reolink-IPC-RCE.py; reference:cve,2019-11
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/mcw0/PoC/blob/master/Reolink-IPC-RCE.pyhttps://www.vdoo.com/blog/working-with-the-community-%E2%80%93-significant-vulnerabilities-in-reolink-cameras/https://github.com/mcw0/PoC/blob/master/Reolink-IPC-RCE.pyhttps://www.vdoo.com/blog/working-with-the-community-%E2%80%93-significant-vulnerabilities-in-reolink-cameras/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11001
2019-04-08
Published
2024-12-18
Added to CISA KEV
Exploited in the wild