CVE-2021-40410

Name of the Vulnerable Software and Affected Versions Reolink RLC-410W version 3.0.0.136 20121102

Description An OS command injection issue exists in the device network settings functionality due to improper validation of the dns1 parameter provided through the SetLocal API. This allows a remote attacker to execute arbitrary commands by exploiting the dns data->dns1 variable.

Recommendations For Reolink RLC-410W version 3.0.0.136 20121102, consider restricting access to the SetLocal API until a patch is available. As a temporary workaround, avoid using the dns1 parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.