CVE-2025-56800
MEDIUMReolink - Authentication Bypass by Spoofing
Title source: ruleDescription
Reolink desktop application 8.18.12 contains a vulnerability in its local authentication mechanism. The application implements lock screen password logic entirely on the client side using JavaScript within an Electron resource file. Because the password is stored and returned via a modifiable JavaScript property(a.settingsManager.lockScreenPassword), an attacker can patch the return value to bypass authentication. NOTE: this is disputed by the Supplier because the lock-screen bypass would only occur if the local user modified his own instance of the application.
Exploits (1)
github
WORKING POC
2 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-56800
Scores
CVSS v3
5.1
EPSS
0.0007
EPSS Percentile
22.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-290
Status
published
Products (1)
reolink/reolink
8.18.12
Published
Oct 21, 2025
Tracked Since
Feb 18, 2026