CVE-2025-56800
BaseFortify
Publication date: 2025-10-21
Last updated on: 2025-11-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| reolink | reolink | 8.18.12 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Reolink desktop application version 8.18.12, where the local authentication mechanism is implemented entirely on the client side using JavaScript. The lock screen password is stored and returned via a modifiable JavaScript property (a.settingsManager.lockScreenPassword). An attacker can patch this property to bypass the authentication, effectively allowing unauthorized access.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass the lock screen authentication on the Reolink desktop application, potentially granting unauthorized access to the application and any sensitive data or controls it manages.
What immediate steps should I take to mitigate this vulnerability?
Since the vulnerability is due to the client-side implementation of the lock screen password in the Reolink desktop application, immediate mitigation steps include avoiding use of the vulnerable version 8.18.12, restricting access to the application to trusted users only, and monitoring for updates or patches from Reolink that address this issue. Additionally, consider using alternative authentication methods or applications until a fix is available.