cbcvebase.
CVE-2021-40150
published 2022-07-17

CVE-2021-40150: The web server of the E1 Zoom camera through 3.0.0.716 discloses its configuration via the /conf/ directory that is mapped to a publicly accessible path. In…

PriorityP354high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
3.36%
87.2th percentile
The web server of the E1 Zoom camera through 3.0.0.716 discloses its configuration via the /conf/ directory that is mapped to a publicly accessible path. In this way an attacker can download the entire NGINX/FastCGI configurations by querying the /conf/nginx.conf or /conf/fastcgi.conf URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
reolinke1_zoom_firmware<= 3.0.0.716

Detection & IOCsextracted from sources · hover to see the quote

path/conf/nginx.conf
path/conf/fastcgi.conf
path/conf/
sigma
GET request to /conf/nginx.conf or /conf/fastcgi.conf returning HTTP 200 with body containing 'server', 'listen', 'fastcgi'
  • Look for unauthenticated HTTP GET requests to /conf/nginx.conf or /conf/fastcgi.conf on Reolink E1 Zoom camera hosts; a 200 response containing the words 'server', 'listen', and 'fastcgi' confirms exploitation.
  • Use Shodan or FOFA to identify exposed Reolink cameras as targets: Shodan queries 'http.title:"Reolink"' / 'http.title:"reolink"', FOFA query 'title="reolink"'.
  • No authentication is required; the /conf/ directory is mapped to a publicly accessible path, making this exploitable by any network-level attacker.
  • ·Vulnerability affects Reolink E1 Zoom firmware versions up to and including 3.0.0.716 only; patched versions are not affected.
  • ·The disclosed configuration files are NGINX and FastCGI configs; the sensitive data exposed depends on the content of those files on the specific device.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.