KEVIntel
Back to KEVs
9.1
CVSS
Critical

CVE-2021-40407

PUBLISHED

An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2],...

Exploited in the wild Remote Low complexity No user interaction
Vendor
reolink
Product
RLC-410W
Published
Jan 28, 2022
EPSS

Description

An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the domain parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection. An attacker can send an HTTP request to trigger this vulnerability.

cisa

CVSS scores

CVSS v3.0 9.1 Critical

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Exploitation status

Exploited in the wild

Recorded 2024-12-18 00:00:00 UTC · Source

SSVC decision points

Exploitation
active
Automatable
No
Technical impact
total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
CISA Dec 18, 2024

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel