CVE-2025-56800

MEDIUM EPSS 15.2%

Published Oct 21, 20258mo ago · Modified Jun 17, 20261w ago

5.1 CVSS 3.1

Medium

Published Oct 21, 2025 8mo ago

Last Modified Jun 17, 2026 1w ago

Description

Reolink desktop application 8.18.12 contains a vulnerability in its local authentication mechanism. The application implements lock screen password logic entirely on the client side using JavaScript within an Electron resource file. Because the password is stored and returned via a modifiable JavaScript property(a.settingsManager.lockScreenPassword), an attacker can patch the return value to bypass authentication. NOTE: this is disputed by the Supplier because the lock-screen bypass would only occur if the local user modified his own instance of the application.

CVSS Details

Base Score

5.1

Exploitability

2.5

Impact

2.5

Vector string

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector Local

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality Low

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

15.2% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-290

Affected Products 1

Vendor	Product	Version	Range
reolink	reolink	8.18.12	any

References 2

github.com https://github.com/shinyColumn/CVE-2025-56800

ExploitThird Party Advisory
shinycolumn.notion.site https://shinycolumn.notion.site/reolink-auth-bypass

ExploitThird Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.