Reolink Video Doorbell WiFi Unauthenticated Root Shell Access via Unsecured UART Console

A vulnerability in the Reolink Video Doorbell WiFi model DB_566128M5MP_W allows unauthorized root shell access through an exposed UART/serial console. This issue arises from improper access control, enabling attackers with physical access to the device to connect to the serial interface and execute arbitrary commands with root privileges. The vulnerability is present in the device's production firmware, where the serial console is left enabled without authentication, exposing critical system files and services.

Impact

Exploitation of this vulnerability grants full control of the device with root privileges, allowing for unauthorized modification of the firmware, installation of permanent backdoors, and access to sensitive configuration data and network credentials.

Reproduction

The vulnerability can be reproduced by physically accessing the device and connecting to the UART pads during the boot sequence. This bypasses authentication checks and spawns an unrestricted root shell, providing direct access to the device's operating system with administrative privileges.

Remediation

Users are advised to prevent physical access to the devices in public or shared areas. If possible, epoxy or shield the exposed UART pads on production units. Reolink should disable the serial console in production firmware builds, implement secure boot and password-based shell protection, and restrict maintenance interfaces to authenticated engineering modes only.