CVE-2021-40409

Name of the Vulnerable Software and Affected Versions reolink RLC-410W version 3.0.0.136 20121102

Description An OS command injection issue exists in the device network settings functionality due to improper validation of the ddns->password variable. This variable is populated with the value of the password parameter provided through the SetDdns API. The lack of proper validation leads to an OS command injection. This could allow a remote attacker to execute arbitrary commands using a specially crafted HTTP request.

Recommendations For reolink RLC-410W version 3.0.0.136 20121102, as a temporary workaround, consider restricting access to the SetDdns API until a patch is available. Avoid using the password parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.