cbcvebase.
CVE-2021-40407
published 2022-01-28

CVE-2021-40407: An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS…

PriorityP182high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-01-08
Exploited in the wild
EPSS
47.91%
98.7th percentile
An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the domain parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection. An attacker can send an HTTP request to trigger this vulnerability.

Affected

1 ranges
VendorProductVersion rangeFixed in
reolinkrlc-410w_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/api.cgi?cmd=SetDdns
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera SetDdns Authenticated Command Injection Attempt (CVE-2021-40407, CVE-2021-40408, CVE-2021-40409)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/api.cgi|3f|cmd|3d|SetDdns"; fast_pattern; startswith; http.request_body; content:"|22|cmd|22|"; content:"|22|SetDdns|22 2c|"; within:20; pcre:"/^.+\x22(?:domain|password|username)\x22\x3a[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/Rm"; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2021-1424; reference:cve,2021-40407; reference:cve,2021-40408; reference:cve,2021-40409; classtype:attempted-admin; sid:2059709; rev:1;)
  • Target HTTP POST requests to /cgi-bin/api.cgi?cmd=SetDdns on Reolink RLC-series devices; the attack is delivered in the request body via the SetDdns API command.
  • Inspect the `domain`, `password`, or `username` JSON fields in the SetDdns request body for OS command injection metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
  • The vulnerability is exploitable over plaintext HTTP (not TLS); perimeter and internal network monitoring are both relevant deployment contexts.
  • The injection point is the `domain` parameter (ddns->domain variable) passed through the SetDdns API, which is not validated before being used in an OS command.
  • ·Exploitation requires prior authentication; unauthenticated attackers cannot directly trigger this vulnerability.
  • ·The affected firmware version is v3.0.0.136_20121102; the device/firmware may be end-of-life with no patch available.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.