CVE-2021-40408

Name of the Vulnerable Software and Affected Versions reolink RLC-410W version 3.0.0.136 20121102

Description A command injection issue exists in the device network settings functionality due to improper validation of the ddns->username variable, which is set based on the userName parameter provided through the SetDdns API. This allows for potential OS command injection. The vulnerability can be exploited by a remote attacker using a specially crafted HTTP request, enabling them to execute arbitrary commands.

Recommendations For reolink RLC-410W version 3.0.0.136 20121102, as a temporary workaround, consider restricting access to the SetDdns API until a patch is available. Avoid using the userName parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.