Reolink v4.54.0.4.20250526 was discovered to contain a hardcoded encryption key and initialization vector. An attacker can leverage this vulnerability to decrypt access tokens and web session tokens stored inside the app via reverse engineering.
The Reolink mobile application uses a static encryption key (hardcoded key) and a fixed initialization vector to encrypt sensitive data such as access tokens and session tokens. An attacker can reverse engineer the application, extract the hardcoded key and IV values, and then use them to decrypt data stored within the application. Using a static key and IV completely eliminates cryptographic protection because every instance of the application uses identical encryption parameters.
An attacker who gains access to application data (e.g., through malware, physical device access, or backup) can decrypt access tokens and session tokens, which may lead to user account takeover and unauthorized access to Reolink cameras and devices.
Apply patches available from the manufacturer according to the references. The manufacturer should replace the hardcoded key and IV with a dynamic encryption key generation mechanism, for example using Android Keystore or EncryptedSharedPreferences in accordance with Android Security API recommendations.
Reolink mobile application version v4.54.0.4.20250526
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReolink
APPReolink4.54.0.4.20250526
Related vulnerabilities
Reolink desktop application 8.18.12 contains a command injection vulnerability in its scheduled cache-clearing...
Reolink desktop application 8.18.12 contains a vulnerability in its local authentication mechanism. The applic...
The Reolink Desktop Application 8.18.12 contains hardcoded credentials as the Initialization Vector (IV) in it...
The Reolink desktop application uses a hard-coded and predictable AES encryption key to encrypt user configura...
An intent redirection vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access inte...