CVE-2021-40407

HIGH KEV

Reolink RLC-410W v3.0.0.136_20121102 - Command Injection

Title source: llm

Description

An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the domain parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection. An attacker can send an HTTP request to trigger this vulnerability.

References (2)

[Exploit, Third Party Advisory] https://talosintelligence.com/vulnerability_reports/TALOS-2021-1424

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40407

Scores

CVSS v3 7.2

EPSS 0.3257

EPSS Percentile 96.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2024-12-18

VulnCheck KEV 2024-12-18

InTheWild.io 2024-12-18

ENISA EUVD EUVD-2021-27584

CWE

CWE-78

Status published

Products (1)

reolink/rlc-410w_firmware 3.0.0.136_20121102

Published Jan 28, 2022

KEV Added Dec 18, 2024

Tracked Since Feb 18, 2026