Cyber Resilience

CVE-2021-40407

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 28 January 2022

Published
28 January 2022
Modified
03 November 2025
KEV Added
18 December 2024
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2528 96.3th percentile
Risk Priority 50 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-40407 is a high-severity OS Command Injection (CWE-78) vulnerability in Reolink Rlc-410W Firmware. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

An OS command injection vulnerability exists in the device network settings functionality of the Reolink RLC-410W camera running firmware version 3.0.0.136_20121102. The flaw occurs when handling the ddns->domain variable supplied to the SetDdns API, where the value is not properly validated based on the selected DDNS type, allowing arbitrary operating system commands to be executed.

An authenticated attacker with administrative privileges can send a crafted HTTP request containing a malicious domain parameter to trigger the vulnerability. Successful exploitation grants the ability to execute arbitrary commands on the device, resulting in full control over confidentiality, integrity, and availability of the affected camera.

The issue is documented in detail in the Talos Intelligence advisory TALOS-2021-1424 and appears in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed real-world exploitation. No specific patch or mitigation details are provided in the available references.

EU & UK References

Vulnerability details

An OS command injection vulnerability exists in the device network settings functionality of reolink RLC-410W v3.0.0.136_20121102. At [1] or [2], based on DDNS type, the ddns->domain variable, that has the value of the domain parameter provided through the SetDdns API,…

more

is not validated properly. This would lead to an OS command injection. An attacker can send an HTTP request to trigger this vulnerability.

CWE(s)
KEV Date Added
18 December 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

reolink
rlc-410w firmware
3.0.0.136_20121102

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the untrusted ddns->domain parameter supplied to SetDdns before it is used in OS command construction.

prevent

Limits the privileges of the web-server or DDNS-handling process so that successful command injection cannot immediately yield full device control.

detect

Enables monitoring of process execution, API calls, and anomalous command patterns that would reveal attempted or successful exploitation of the domain parameter.

References