CVE-2025-55619
Published: 22 August 2025
Summary
CVE-2025-55619 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Reolink Reolink. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 33.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-28 (Protection of Information at Rest).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires establishment and management of cryptographic keys using NIST-approved methods, directly preventing the use of hardcoded keys and IVs that allow decryption of access and session tokens.
Mandates approved cryptographic mechanisms to protect sensitive information at rest like stored tokens, comprehensively addressing weak storage encryption vulnerable to reverse engineering.
Requires protection of authenticators such as access tokens and session tokens from unauthorized disclosure, which is undermined by reliance on hardcoded encryption keys.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded AES key and IV in Reolink Android app enable reverse engineering to decrypt stored access tokens (T1528: Steal Application Access Token) and web session tokens (T1539: Steal Web Session Cookie).
NVD Description
Reolink v4.54.0.4.20250526 was discovered to contain a hardcoded encryption key and initialization vector. An attacker can leverage this vulnerability to decrypt access tokens and web session tokens stored inside the app via reverse engineering.
Deeper analysisAI
CVE-2025-55619 is a critical vulnerability in the Reolink Android application version v4.54.0.4.20250526, where a hardcoded encryption key and initialization vector (IV) are used for protecting sensitive data. Classified under CWE-321 (Use of Hard-coded Cryptographic Key), the flaw enables decryption of access tokens and web session tokens stored inside the app. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to the ease of exploitation and potential for severe impacts.
Any attacker capable of reverse engineering the Reolink app can exploit this vulnerability by extracting the hardcoded key and IV to decrypt the protected tokens. No special privileges, user interaction, or physical access are required, and the attack can originate remotely over the network with low complexity. Successful exploitation grants access to sensitive credentials, potentially allowing unauthorized account access, session hijacking, or further compromise of connected Reolink devices and services.
References point to CWE definitions for hard-coded keys (CWE-321) and insufficient entropy in PRNG (CWE-329), Android's EncryptedSharedPreferences documentation, a related vulnerability (CVE-2020-25173), and a Notion page detailing the hardcoded AES key and IV in the Reolink Android app. No specific advisories, patches, or mitigation steps are detailed in the provided information.
Details
- CWE(s)