CVE-2021-40407
HIGH KEVReolink RLC-410W v3.0.0.136_20121102 - Command Injection
Title source: llmExploitation Summary
CVE-2021-40407 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 18, 2024.
Description
An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the domain parameter provided through the SetDdns API, is not validated properly. This would lead to an OS command injection. An attacker can send an HTTP request to trigger this vulnerability.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1424
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40407
Scores
CVSS v3
7.2
EPSS
0.2528
EPSS Percentile
96.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
no
Technical Impact
total
Details
CISA KEV
2024-12-18
VulnCheck KEV
2024-12-18
InTheWild.io
2024-12-18
ENISA EUVD
EUVD-2021-27584
CWE
CWE-78
Status
published
Products (1)
reolink/rlc-410w_firmware
3.0.0.136_20121102
Published
Jan 28, 2022
KEV Added
Dec 18, 2024
Tracked Since
Feb 18, 2026