CVE-2021-40150
published 2022-07-17CVE-2021-40150: The web server of the E1 Zoom camera through 3.0.0.716 discloses its configuration via the /conf/ directory that is mapped to a publicly accessible path. In…
PriorityP354high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
3.36%
87.2th percentile
The web server of the E1 Zoom camera through 3.0.0.716 discloses its configuration via the /conf/ directory that is mapped to a publicly accessible path. In this way an attacker can download the entire NGINX/FastCGI configurations by querying the /conf/nginx.conf or /conf/fastcgi.conf URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| reolink | e1_zoom_firmware | <= 3.0.0.716 | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma
GET request to /conf/nginx.conf or /conf/fastcgi.conf returning HTTP 200 with body containing 'server', 'listen', 'fastcgi'
- →Look for unauthenticated HTTP GET requests to /conf/nginx.conf or /conf/fastcgi.conf on Reolink E1 Zoom camera hosts; a 200 response containing the words 'server', 'listen', and 'fastcgi' confirms exploitation.
- →Use Shodan or FOFA to identify exposed Reolink cameras as targets: Shodan queries 'http.title:"Reolink"' / 'http.title:"reolink"', FOFA query 'title="reolink"'.
- →No authentication is required; the /conf/ directory is mapped to a publicly accessible path, making this exploitable by any network-level attacker.
- ·Vulnerability affects Reolink E1 Zoom firmware versions up to and including 3.0.0.716 only; patched versions are not affected. ↗
- ·The disclosed configuration files are NGINX and FastCGI configs; the sensitive data exposed depends on the content of those files on the specific device. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Reolink E1 Zoom Camera <=3.0.0.716 - Information Disclosure
nuclei·CVSS 7.5
CVE-2021-40150 [HIGH] Reolink E1 Zoom Camera <=3.0.0.716 - Information Disclosure
Reolink E1 Zoom Camera <=3.0.0.716 - Information Disclosure
Reolink E1 Zoom camera through 3.0.0.716 is susceptible to information disclosure. The web server discloses its configuration via the /conf/ directory that is mapped to a publicly accessible path. An attacker with network-level access to the camera can can download the entire NGINX/FastCGI configurations by querying the /conf/nginx.conf or /conf/fastcgi.conf URI.
Template:
id: CVE-2021-40150
info:
name: Reolink E1 Zoom Camera <=3.0.0.716 - Information Disclosure
author: For3stCo1d
severity: high
description: |
Reolink E1 Zoom camera through 3.0.0.716 is susceptible to information disclosure. The web server discloses its configuration via the /conf/ directory that is mapped to a publicly accessible path. An attacker with networ
No writeups or analysis indexed.
2022-07-17
Published