CVE-2021-40412

Name of the Vulnerable Software and Affected Versions Reolink RLC-410W version 3.0.0.136 20121102

Description The issue exists due to the lack of proper validation of special elements used in an operating system command. This allows a remote attacker to execute arbitrary commands. Specifically, in the device network settings functionality, the devname variable is not properly validated, leading to an OS command injection. This occurs when the name parameter is provided through the "SetDevName API" endpoint.

Recommendations For Reolink RLC-410W version 3.0.0.136 20121102, as a temporary workaround, consider restricting access to the SetDevName API endpoint to minimize the risk of exploitation. Avoid using the name parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.