What happened

CISA added CVE-2021-40407 to the Known Exploited Vulnerabilities catalog, signaling confirmed in-the-wild exploitation against Reolink RLC-410W IP cameras CISA KEV. The vulnerability is an authenticated OS command injection in the device’s network settings functionality, allowing commands to be executed on the underlying OS after login NVD record. CISA’s entry notes the impacted product may be end-of-life or end-of-service and instructs users to discontinue utilization if a current mitigation is unavailable CISA KEV. CVE-2021-40407 maps to CWE-78 (Improper Neutralization of Special Elements used in an OS Command), the classic pattern for shell injection on embedded systems NVD record. CISA sets an enforcement due date of 2025-01-08 for remediation actions following its 2024-12-18 addition to KEV CISA KEV.

Why it matters

When a camera’s configuration path is vulnerable to OS command injection, an authenticated actor can transition from web-level access to direct OS command execution on the device NVD record. CISA’s KEV listing means exploitation is not theoretical; adversaries are actively abusing this weakness in the wild, demanding prioritized action CISA KEV. Given the vulnerability is tied to authenticated functionality, any credential exposure or lateral movement that yields valid access can become a device takeover via CWE-78 semantics NVD record. The convergence of embedded Linux, web UIs, and network configuration endpoints on consumer-grade cameras frequently concentrates high-impact permissions in a small attack surface, amplifying risk once injection is possible MITRE CVE. KEV inclusion also imposes a remediation deadline on federal enterprises and sets a de facto urgency benchmark for the private sector to match or beat CISA KEV.

Technical detail

Per CISA, the flaw sits in the network settings functionality and requires authentication prior to triggering, which places the vulnerable sink behind a login barrier but not beyond exploitation once credentials are obtained or misused CISA KEV. NVD classifies the weakness as OS command injection (CWE-78), indicating insufficient input neutralization before invoking shell or shell-like interpreters on the device NVD record. In practice, CWE-78 typically manifests when user-supplied fields are concatenated into system calls without robust quoting, whitelisting, or use of safe APIs that avoid shell parsing entirely NVD record. The affected product is the Reolink RLC-410W IP Camera, a wireless model whose web management plane exposes the relevant configuration surface for the injection vector described by the CVE MITRE CVE. Because the vector is in management functionality, exploitation is viable through authenticated HTTP requests to the device rather than requiring physical access, consistent with KEV’s exploitation-in-the-wild status CISA KEV. CISA further flags potential end-of-life or end-of-service status for the impacted product class, elevating the likelihood that some deployments will not receive vendor patches or mitigations CISA KEV.

Defense

• Remove or replace impacted devices where no current mitigation exists; CISA explicitly instructs discontinuation for EoL/EoS products when mitigations are unavailable CISA KEV.
• Treat RLC-410W management interfaces as high risk and isolate them onto a dedicated management VLAN with no direct internet exposure to reduce blast radius for CVE-2021-40407 exploitation attempts NVD record.
• Restrict who can authenticate: because the flaw is authenticated, tighten access controls, enforce MFA on admin portals if intermediated, and minimize accounts with configuration rights for the camera CISA KEV.
• Monitor and alert on configuration changes to network settings for these cameras; unexpected edits followed by device restarts may indicate attempted command injection aligned with CWE-78 behavior NVD record.
• Egress control: restrict outbound traffic from camera subnets to only necessary destinations; containing post-exploitation activity limits follow-on impact from OS command execution NVD record.
• Inventory and triage: enumerate where RLC-410W is present, correlate against CISA’s due date of 2025-01-08, and move vulnerable instances into an urgent remediation queue CISA KEV.
• Validate vendor status and firmware options; where mitigation is available, plan change windows, and where it is not, plan decommissioning per KEV guidance to eliminate residual risk CISA KEV.

Lyrie Verdict

This is a textbook case where authenticated web-to-OS injection on an edge device demands autonomous detection at machine speed, not manual chase-downs after compromise NVD record. Lyrie treats KEV entries as real-time threat intents: we auto-promote CVE-2021-40407 into policy, watching for authenticated requests that mutate network settings on RLC-410W-like endpoints and correlating them with anomalous command execution side-effects on the wire CISA KEV. Our models fuse request semantics linked to CWE-78 with device behavior to flag probable injection even when the attacker holds valid creds, closing the gap KEV highlights between known exploitation and org response time NVD record. Bottom line: a compromised camera should never be the first signal; Lyrie surfaces the exploit attempt as it happens and enforces containment automatically across the segment CISA KEV.