1. Reporting information

Team name : Team Brrester

2. Overview of Vulnerabilities

• Vulnerability title: Unauthenticated Push feature of RTMP server enables Denial of Service (DoS)
• Date of discovery: 2025.07.10
• Discovery Location (URL or System Path) : rtmp://<IP>:1935/live/
• Vulnerability Type (CWE ID): CWE-306: Missing Authentication for Critical Function CWE-400: Uncontrolled Resource Consumption
• Vulnerability Description: RTMP Push is possible for anyone because there is no on_publish authentication in the RTMP server settings. An attacker can inject multiple streams simultaneously using ffmpeg, etc., which drains the resources of the RTMP server, severely disrupting normal streaming services.

3. Details

• Impacted Products/Services: Reolink RTMP-based video streaming service, device operation
• Product version: firmware v3.0.0.4662_2503122283
• Vulnerable Components: setting rtmp in nginx.conf

If you check the rtmp part in nginx.conf settings

application vod 
        {
            play /mnt/sda/;
	        #on_play <http://127.0.0.1>:_HTTP_PORT_/api.cgi?rtmp=auth;
            on_play <http://127.0.0.1>:_HTTP_PORT_/api.cgi?rtmp=start;
            on_play_done <http://127.0.0.1>:_HTTP_PORT_/api.cgi?rtmp=stop;
            #record video;
            #record_path /tmp;
            #record_max_size 128K;
            #record_interval 30s;
            #record_suffix .this.is.flv;

            #on_publish <http://localhost:8080/publish>;
            #on_play <http://localhost:8080/play>;
            #on_record_done <http://localhost:8080/record_done>;			
        }
        application live 
        {
            live on;
            on_play <http://127.0.0.1>:_HTTP_PORT_/api.cgi?rtmp=start;
            on_play_done <http://127.0.0.1>:_HTTP_PORT_/api.cgi?rtmp=stop;
#            record video;
#            record_path /mnt/app/www/;
#            record_suffix -%d-%b-%y-%T.flv;
        }
        application bcs 
        {
            play /mnt/app/www/;
            #on_play <http://127.0.0.1>:_HTTP_PORT_/api.cgi?rtmp=auth;
            on_play <http://127.0.0.1>:_HTTP_PORT_/api.cgi?rtmp=start;
            on_play_done <http://127.0.0.1>:_HTTP_PORT_/api.cgi?rtmp=stop;
            #record video;
            #record_path /tmp;
            #record_max_size 128K;
            #record_interval 30s;
            #record_suffix .this.is.flv;

            #on_publish <http://localhost:8080/publish>;

Access to the same IP where the reolink device operates because there is no information about on_publish authentication Attackers can inject arbitrary streams into rtmp://<target-ip>:1935/live/<stream> without authentication, resulting in resource depletion and out-of-service.

Reproducible when the instrument is operational and the RTMP port (default 1935) is open in the setup.

POC code :