Back to KEVs

CVE-2021-40407

An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2],...

Basic Information

CVE State
PUBLISHED
Reserved Date
September 01, 2021
Published Date
January 28, 2022
Last Updated
February 10, 2025
Vendor
n/a
Product
n/a
Description
An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the domain parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection. An attacker can send an HTTP request to trigger this vulnerability.

CVSS Scores

CVSS v3.0

9.1 - CRITICAL

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (added 2024-12-18 00:00:00 UTC) Source

References

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1424

Known Exploited Vulnerability Information

Source Added Date
CISA 2024-12-18 00:00:00 UTC