CVE-2025-55619

CRITICAL

9.8

Beschreibung

Reolink v4.54.0.4.20250526 was discovered to contain a hardcoded encryption key and initialization vector. An attacker can leverage this vulnerability to decrypt access tokens and web session tokens stored inside the app via reverse engineering.

CVE Details

CVSS v3.1 Bewertung9.8

SchweregradCRITICAL

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienNONE

BenutzerinteraktionNONE

Veroffentlicht8/22/2025

Zuletzt geandert8/28/2025

Quellenvd

Honeypot-Sichtungen0

Betroffene Produkte

reolink:reolink

Schwachen (CWE)

CWE-321

Referenzen

https://cwe.mitre.org/data/definitions/321.html(cve@mitre.org)

https://cwe.mitre.org/data/definitions/329.html(cve@mitre.org)

https://developer.android.com/reference/kotlin/androidx/security/crypto/EncryptedSharedPreferences(cve@mitre.org)

https://nvd.nist.gov/vuln/detail/CVE-2020-25173(cve@mitre.org)

https://www.notion.so/Reolink-Android-App-Uses-Hardcoded-AES-Key-and-IV-for-Sensitive-Data-Decryption-21a43700364280dc95bedcf6ac1a5db0(cve@mitre.org)

https://relieved-knuckle-264.notion.site/Reolink-Android-App-Uses-Hardcoded-AES-Key-and-IV-for-Sensitive-Data-Decryption-21a43700364280dc95bedcf6ac1a5db0(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.