CVE-2021-40407

What is the Reolink RLC-410W?

Reolink is a consumer and SMB-focused IP camera manufacturer. The RLC-410W is a 4MP outdoor PoE/Wi-Fi security camera used in home and small business surveillance systems. IP cameras are persistent targets for botnet operators because they run embedded Linux with internet-facing administrative interfaces, often run as root, and are rarely updated by their owners. Compromised IP cameras are recruited as DDoS botnet nodes, used as network pivot points for internal network reconnaissance, and leveraged to intercept camera feeds. Reolink's EOL products may no longer receive firmware security patches.

Overview

CVE-2021-40407 is an OS command injection vulnerability (CWE-78) in the network settings functionality of the Reolink RLC-410W IP camera. An attacker with administrative credentials to the camera can inject OS commands through the network settings interface that execute with root privileges on the camera's embedded Linux OS. This vulnerability requires high privileges (administrator authentication) to exploit — CVSS PR:H reflects this limitation. CISA added this to KEV in December 2024, nearly three years after CVE publication, following confirmed exploitation. CISA's required action acknowledges that the product may be EOL and recommends discontinuing use if mitigations are unavailable.

Affected Versions

Technical Details

The Reolink RLC-410W camera's web management interface includes network configuration settings (hostname, DNS server, DDNS settings) that are passed to OS commands for network configuration:

• Root cause: OS command injection (CWE-78) — network settings parameters in the administrative interface are passed to shell commands without filtering shell metacharacters
• Authentication required: High privilege level (administrator credentials) required — this is not an unauthenticated vulnerability (PR:H in CVSS)
• Exploitation path: Default or weak admin credentials on the camera enable exploitation; cameras with default password admin (common on Reolink devices) are trivially accessible
• Execution context: Injected commands run as root on the camera's embedded Linux OS
• Botnet recruitment: Once compromised, cameras are enrolled as Mirai-variant botnet nodes via the command injection

Discovery

Identified by security researchers examining IP camera firmware security. The three-year gap between CVE publication and CISA KEV addition reflects long-tail exploitation of IoT device vulnerabilities.

Exploitation Context

IoT camera vulnerabilities with admin access are frequently exploited by changing the device's default password and then leveraging administrative access to deploy botnet malware. Many IoT cameras ship with default credentials (admin:admin, admin: empty password) that owners never change, making the "requires high privileges" limitation less meaningful in practice. Mirai and successor botnets specifically scan for cameras with default credentials as their primary recruitment mechanism.

Remediation

1. Check whether the Reolink RLC-410W has available firmware updates at Reolink's Download Center and apply them
2. If the device is listed as EOL on Reolink's product EOL page, follow CISA's guidance and discontinue use — replace with a currently-supported camera
3. Change the default admin password immediately to a strong, unique password — this eliminates the primary exploitation vector since the vulnerability requires admin credentials
4. Restrict camera web interface access to your local network — disable UPnP, remove any port-forwarding rules that expose the camera management interface to the internet
5. Consider placing IP cameras on an isolated VLAN segment separate from corporate or home networks to limit lateral movement if compromised