Cyber Resilience

CVE-2025-55619

CriticalPublic PoC

Published: 22 August 2025

Published
22 August 2025
Modified
28 August 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 36.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55619 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Reolink Reolink. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-28 (Protection of Information at Rest).

Deeper analysis

CVE-2025-55619 is a critical vulnerability in the Reolink Android application version v4.54.0.4.20250526, where a hardcoded encryption key and initialization vector (IV) are used for protecting sensitive data. Classified under CWE-321 (Use of Hard-coded Cryptographic Key), the flaw enables decryption of access tokens and web session tokens stored inside the app. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to the ease of exploitation and potential for severe impacts.

Any attacker capable of reverse engineering the Reolink app can exploit this vulnerability by extracting the hardcoded key and IV to decrypt the protected tokens. No special privileges, user interaction, or physical access are required, and the attack can originate remotely over the network with low complexity. Successful exploitation grants access to sensitive credentials, potentially allowing unauthorized account access, session hijacking, or further compromise of connected Reolink devices and services.

References point to CWE definitions for hard-coded keys (CWE-321) and insufficient entropy in PRNG (CWE-329), Android's EncryptedSharedPreferences documentation, a related vulnerability (CVE-2020-25173), and a Notion page detailing the hardcoded AES key and IV in the Reolink Android app. No specific advisories, patches, or mitigation steps are detailed in the provided information.

EU & UK References

Vulnerability details

Reolink v4.54.0.4.20250526 was discovered to contain a hardcoded encryption key and initialization vector. An attacker can leverage this vulnerability to decrypt access tokens and web session tokens stored inside the app via reverse engineering.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Hardcoded AES key and IV in Reolink Android app enable reverse engineering to decrypt stored access tokens (T1528: Steal Application Access Token) and web session tokens (T1539: Steal Web Session Cookie).

CVEs Like This One

CVE-2025-55637Same vendor: Reolink
CVE-2026-33266Shared CWE-321
CVE-2025-34256Shared CWE-321
CVE-2025-15016Shared CWE-321
CVE-2025-67112Shared CWE-321
CVE-2025-27674Shared CWE-321
CVE-2025-30234Shared CWE-321
CVE-2025-59407Shared CWE-321
CVE-2026-33362Shared CWE-321
CVE-2026-1442Shared CWE-321

Affected Assets

reolink
reolink
4.54.0.4.20250526

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires establishment and management of cryptographic keys using NIST-approved methods, directly preventing the use of hardcoded keys and IVs that allow decryption of access and session tokens.

prevent

Mandates approved cryptographic mechanisms to protect sensitive information at rest like stored tokens, comprehensively addressing weak storage encryption vulnerable to reverse engineering.

prevent

Requires protection of authenticators such as access tokens and session tokens from unauthorized disclosure, which is undermined by reliance on hardcoded encryption keys.

References