What happened

CISA added CVE-2019-11001 to the Known Exploited Vulnerabilities (KEV) catalog on 2024-12-18 with a remediation due date of 2025-01-08 CISA KEV. Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W IP cameras are affected by an authenticated OS command injection vulnerability tracked as CVE-2019-11001 NVD. Per the KEV entry, an authenticated admin can abuse the camera’s “TestEmail” functionality to inject and execute operating system commands as root CISA KEV. The flaw is classified under CWE-78 (OS Command Injection), enabling command execution via improperly handled input NVD. CISA flags this as actively exploited in the wild by virtue of inclusion in KEV, which lists vulnerabilities with confirmed exploitation CISA KEV.

Why it matters

KEV inclusion means federal agencies are required to remediate by the due date under CISA’s directive for exploited vulnerabilities, reflecting confirmed real-world abuse CISA KEV. Because the exploit path runs commands as root on the camera OS, compromise can yield full device takeover and a beachhead on often-trusted network segments CISA KEV. CWE-78 class issues are high-impact in embedded devices, as weak input validation at a system interface can escalate quickly to arbitrary command execution NVD. The KEV entry also notes the impacted product may be EoL/EoS, increasing the probability that no patch will arrive and that decommissioning is the only safe path CISA KEV.

Technical detail

The vulnerability is tracked as CVE-2019-11001 in both MITRE’s CVE list and NIST’s NVD, identifying Reolink “Multiple IP Cameras” as affected MITRE CVE. NVD classifies the weakness as CWE-78 (OS Command Injection), indicating that user-controlled input is incorporated into an OS command without proper sanitization NVD. According to CISA’s KEV short description, an authenticated admin can exploit the device’s “TestEmail” feature to inject commands that the camera executes with root privileges CISA KEV. The affected models explicitly called out in KEV are RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W, all under the Reolink brand CISA KEV. The attack precondition is valid admin authentication, which narrows initial access to insiders, credential-stuffed accounts, or prior compromises where credentials are obtained CISA KEV. Once inside, leveraging “TestEmail” as an execution primitive allows direct OS-level command execution rather than a constrained application action, raising post-auth risk significantly NVD. KEV lists ransomware use as unknown for this CVE, but the capability to run arbitrary commands as root makes it a viable staging point for lateral movement regardless of actor type CISA KEV.

Defense

CISA’s required action states the impacted product could be end-of-life or end-of-service, and users should discontinue use if no current mitigation exists CISA KEV. Prioritize removal or replacement of affected Reolink models ahead of the 2025-01-08 due date where feasible to meet KEV remediation expectations CISA KEV. If temporary containment is unavoidable, restrict admin access to camera management interfaces to a minimal set of jump hosts and networks while treating the device as a high-risk asset pending decommission NVD. Instrument monitoring for repeated or anomalous invocations of the camera’s email testing functionality by correlating admin logins with subsequent “TestEmail” triggers to surface command-injection attempts CISA KEV. Because exploitation requires authentication, enforce unique, strong admin credentials per device and rotate any credentials that may have been reused or exposed in prior incidents while deprecating shared accounts MITRE CVE. Treat these cameras as untrusted until retired: segment them from sensitive networks, deny egress except to strictly required services, and continuously monitor for outbound anomalies that would indicate post-exploitation behavior NVD.

Lyrie Verdict

This is a post-auth root execution path on a ubiquitous IoT foothold, tied directly to a deterministic feature invocation (“TestEmail”), and confirmed in KEV as exploited CISA KEV. Lyrie’s autonomous detectors should model the device-function sequence of admin authentication followed by email-test actions and flag command-injection indicators at machine speed, before an operator could react NVD. We recommend enforcing policy that quarantines the camera on any anomalous “TestEmail” burst or post-invocation egress deviation, marrying protocol-aware inspection with credential-usage baselining for immediate kill-switch containment CISA KEV.