CVE-2025-56800

Medium CVSS: 5.1

Reolink desktop application 8.18.12 contains a vulnerability in its local authentication mechanism. The application implements lock screen password logic entirely on the client side using JavaScript within an Electron resource file. Because the password is stored and returned via a modifiable JavaScript property(a.settingsManager.lockScreenPassword), an attacker can patch the return value to bypass authentication. NOTE: this is disputed by the Supplier because the lock-screen bypass would only occur if the local user modified his own instance of the application.

Vendor

Reolink

Product

Reolink

CWE

CWE-290

Yayın Tarihi

2025-10-21 19:21:22

Güncelleme

2025-11-17 12:46:26

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-290 Reolink MEDIUM Reolink 2025

Referanslar

https://github.com/shinyColumn/CVE-2025-56800 https://shinycolumn.notion.site/reolink-auth-bypass

Benzer Kayıtlar

Medium

CVE-2025-56802

The Reolink desktop application uses a hard-coded and predictable AES encryption key to encrypt user configuration files…

Medium

CVE-2025-56799

Reolink desktop application 8.18.12 contains a command injection vulnerability in its scheduled cache-clearing mechanism…

Medium

CVE-2025-56801

The Reolink Desktop Application 8.18.12 contains hardcoded credentials as the Initialization Vector (IV) in its AES-CFB…

High

CVE-2025-55634

Incorrect access control in the RTMP server settings of Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firm…

Critical

CVE-2025-55637

Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 was discovered to contain a…

Medium

CVE-2025-55624

An intent redirection vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access internal funct…