Vulnerability Details CVE-2025-55619
Reolink v4.54.0.4.20250526 was discovered to contain a hardcoded encryption key and initialization vector. An attacker can leverage this vulnerability to decrypt access tokens and web session tokens stored inside the app via reverse engineering.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 10.8%
CVSS Severity
CVSS v3 Score 9.8
References
- https://cwe.mitre.org/data/definitions/321.html
- https://cwe.mitre.org/data/definitions/329.html
- https://developer.android.com/reference/kotlin/androidx/security/crypto/EncryptedSharedPreferences
- https://nvd.nist.gov/vuln/detail/CVE-2020-25173
- https://www.notion.so/Reolink-Android-App-Uses-Hardcoded-AES-Key-and-IV-for-Sensitive-Data-Decryption-21a43700364280dc95bedcf6ac1a5db0
- https://relieved-knuckle-264.notion.site/Reolink-Android-App-Uses-Hardcoded-AES-Key-and-IV-for-Sensitive-Data-Decryption-21a43700364280dc95bedcf6ac1a5db0