CVE-2021-40407

Name of the Vulnerable Software and Affected Versions Reolink RLC-410W IP Camera version 3.0.0.136 20121102

Description An OS command injection vulnerability exists in the device network settings functionality due to improper validation of the ddns->domain variable. This variable has the value of the domain parameter provided through the SetDdns API. An attacker can send an HTTP request to trigger this vulnerability, potentially allowing remote execution of arbitrary commands. The issue is related to the DDNS type and the domain parameter.

Recommendations For Reolink RLC-410W IP Camera version 3.0.0.136 20121102, as a temporary workaround, consider disabling the SetDdns API or restricting access to it until a patch is available. Additionally, avoid using the domain parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.