CVE-2021-40407

HIGHCISA KEV

7.2

Description

An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the domain parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection. An attacker can send an HTTP request to trigger this vulnerability.

CVE Details

CVSS v3.1 Score7.2

SeverityHIGH

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredHIGH

User InteractionNONE

Published1/28/2022

Last Modified11/3/2025

Sourcekev

Honeypot Sightings0

CISA KEV

VendorReolink

ProductRLC-410W IP Camera

Vulnerability NameReolink RLC-410W IP Camera OS Command Injection Vulnerability

KEV Date Added2024-12-18

Remediation Due Date2025-01-08

Ransomware UseUnknown

Affected Products

reolink:rlc-410wreolink:rlc-410w_firmware

Weaknesses (CWE)

CWE-78CWE-78

References

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1424(talos-cna@cisco.com)

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1424(af854a3a-2127-422b-91ae-364da2661108)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40407(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.