CVE-2025-56800 — MEDIUM (5.1)

Vulnerability Description

Reolink desktop application 8.18.12 contains a vulnerability in its local authentication mechanism. The application implements lock screen password logic entirely on the client side using JavaScript within an Electron resource file. Because the password is stored and returned via a modifiable JavaScript property(a.settingsManager.lockScreenPassword), an attacker can patch the return value to bypass authentication. NOTE: this is disputed by the Supplier because the lock-screen bypass would only occur if the local user modified his own instance of the application.

CVSS Score

5.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Reolink	Reolink	8.18.12

Related Weaknesses (CWE)

CWE-290

References

https://github.com/shinyColumn/CVE-2025-56800ExploitThird Party Advisory
https://shinycolumn.notion.site/reolink-auth-bypassExploitThird Party Advisory

FAQ

What is CVE-2025-56800?

CVE-2025-56800 is a vulnerability with a CVSS score of 5.1 (MEDIUM). Reolink desktop application 8.18.12 contains a vulnerability in its local authentication mechanism. The application implements lock screen password logic entirely on the client side using JavaScript w...

How severe is CVE-2025-56800?

CVE-2025-56800 has been rated MEDIUM with a CVSS base score of 5.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-56800?

Check the references section above for vendor advisories and patch information. Affected products include: Reolink Reolink.