CVE-2021-40407
published 2022-01-28CVE-2021-40407: An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS…
PriorityP182high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-01-08
Exploited in the wild
EPSS
47.91%
98.7th percentile
An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the domain parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection. An attacker can send an HTTP request to trigger this vulnerability.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| reolink | rlc-410w_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/cgi-bin/api.cgi?cmd=SetDdns
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera SetDdns Authenticated Command Injection Attempt (CVE-2021-40407, CVE-2021-40408, CVE-2021-40409)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/api.cgi|3f|cmd|3d|SetDdns"; fast_pattern; startswith; http.request_body; content:"|22|cmd|22|"; content:"|22|SetDdns|22 2c|"; within:20; pcre:"/^.+\x22(?:domain|password|username)\x22\x3a[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/Rm"; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2021-1424; reference:cve,2021-40407; reference:cve,2021-40408; reference:cve,2021-40409; classtype:attempted-admin; sid:2059709; rev:1;)
- →Target HTTP POST requests to /cgi-bin/api.cgi?cmd=SetDdns on Reolink RLC-series devices; the attack is delivered in the request body via the SetDdns API command.
- →Inspect the `domain`, `password`, or `username` JSON fields in the SetDdns request body for OS command injection metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
- →The vulnerability is exploitable over plaintext HTTP (not TLS); perimeter and internal network monitoring are both relevant deployment contexts.
- →The injection point is the `domain` parameter (ddns->domain variable) passed through the SetDdns API, which is not validated before being used in an OS command. ↗
- ·Exploitation requires prior authentication; unauthenticated attackers cannot directly trigger this vulnerability. ↗
- ·The affected firmware version is v3.0.0.136_20121102; the device/firmware may be end-of-life with no patch available. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3w42-xvwv-qc2q: An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3
ghsa_unreviewed·2022-01-29
CVE-2021-40407 [CRITICAL] CWE-78 GHSA-3w42-xvwv-qc2q: An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3
An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the domain parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection. An attacker can send an HTTP request to trigger this vulnerability.
VulnCheck
Reolink RLC-410W IP Camera OS Command Injection Vulnerability
vulncheck·2021·CVSS 7.2
CVE-2021-40407 [HIGH] CWE-78 Reolink RLC-410W IP Camera OS Command Injection Vulnerability
Reolink RLC-410W IP Camera OS Command Injection Vulnerability
Reolink RLC-410W IP cameras contain an authenticated OS command injection vulnerability in the device network settings functionality.
Affected: Reolink RLC-410W IP Camera
Required Action: The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization if a current mitigation is unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2025-01-08
CISA
Reolink RLC-410W IP Camera OS Command Injection Vulnerability
cisa·2024-12-18·CVSS 7.2
CVE-2021-40407 [HIGH] CWE-78 Reolink RLC-410W IP Camera OS Command Injection Vulnerability
Vulnerability: Reolink RLC-410W IP Camera OS Command Injection Vulnerability
Affected: Reolink RLC-410W IP Camera
Reolink RLC-410W IP cameras contain an authenticated OS command injection vulnerability in the device network settings functionality.
Required Action: The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization if a current mitigation is unavailable.
Notes: https://reolink.com/product-eol/ ; https://reolink.com/download-center/ ; https://nvd.nist.gov/vuln/detail/CVE-2021-40407
Remediation Due Date: 2025-01-08
Suricata
ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera SetDdns Authenticated Command Injection Attempt (CVE-2021-40407, CVE-2021-40408, CVE-2021-40409)
suricata·2025-01-27·CVSS 7.2
CVE-2021-40407 [HIGH] ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera SetDdns Authenticated Command Injection Attempt (CVE-2021-40407, CVE-2021-40408, CVE-2021-40409)
ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera SetDdns Authenticated Command Injection Attempt (CVE-2021-40407, CVE-2021-40408, CVE-2021-40409)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Reolink RLC Series IP Camera SetDdns Authenticated Command Injection Attempt (CVE-2021-40407, CVE-2021-40408, CVE-2021-40409)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/api.cgi|3f|cmd|3d|SetDdns"; fast_pattern; startswith; http.request_body; content:"|22|cmd|22|"; content:"|22|SetDdns|22 2c|"; within:20; pcre:"/^.+\x22(?:domain|password|username)\x22\x3a[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/Rm"; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2021-1424; reference:cve,2
No public exploits indexed.
Talos
Vulnerability Spotlight: WiFi-connected security camera could be manipulated to spy on communications, among other malicious actions
blogs_talos·2022-01-26·CVSS 6.5
[MEDIUM] Vulnerability Spotlight: WiFi-connected security camera could be manipulated to spy on communications, among other malicious actions
## Vulnerability Spotlight: WiFi-connected security camera could be manipulated to spy on communications, among other malicious actions
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered several vulnerabilities in the Reolink RLC-410W security camera that could allow an attacker to perform several malicious actions, including performing man-in-the-middle attacks, stealing user login credentials and more.
The Reolink RLC-410W is a WiFi-connected security camera. The camera includes motion detection functionalities and multiple ways to save and view the recordings. The vulnerabilities Talos discovered exist in various functions and features of the camera. Some of these exploits could be combined, as well, to reboot the camera without authe
Talos
Vulnerability Spotlight: WiFi-connected security camera could be manipulated to spy on communications, among other malicious actions
blogs_talos·2022-01-26·CVSS 6.5
[MEDIUM] Vulnerability Spotlight: WiFi-connected security camera could be manipulated to spy on communications, among other malicious actions
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered several vulnerabilities in the Reolink RLC-410W security camera that could allow an attacker to perform several malicious actions, including performing man-in-the-middle attacks, stealing user login credentials and more.
The Reolink RLC-410W is a WiFi-connected security camera. The camera includes motion detection functionalities and multiple ways to save and view the recordings. The vulnerabilities Talos discovered exist in various functions and features of the camera. Some of these exploits could be combined, as well, to reboot the camera without authentication or run certain APIs.
There are five denial-of-service vulnerabilities that could allow an adversary to make the web service un
Greynoiseio
NoiseLetter January 2025
blogs_greynoiseio
NoiseLetter January 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2022-01-28
Published
2024-12-18
Added to CISA KEV
Exploited in the wild