CVE-2025-55619 is a critical vulnerability identified in Reolink software version 4.54.0.4.20250526. The vulnerability arises from the presence of a hardcoded encryption key and initialization vector (IV) within the application. This cryptographic flaw allows an attacker who reverse engineers the app to obtain these static cryptographic parameters. With access to the hardcoded key and IV, the attacker can decrypt sensitive data such as access tokens and web session tokens stored inside the app. These tokens are typically used to authenticate users and maintain session states, meaning their compromise can lead to unauthorized access to user accounts and potentially the underlying Reolink devices or services. The vulnerability is classified under CWE-321, which relates to the use of hardcoded cryptographic keys, a well-known security anti-pattern that severely undermines the confidentiality and integrity of encrypted data. The CVSS v3.1 base score is 9.8, indicating a critical severity level, with an attack vector of network (AV:N), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits are currently reported in the wild, the ease of exploitation due to the lack of required privileges or user interaction makes this vulnerability highly dangerous. The absence of a patch link suggests that a fix may not yet be available, increasing the urgency for mitigation and risk management.

For European organizations, the impact of this vulnerability can be significant, especially for those using Reolink security cameras or related IoT devices integrated into their physical security infrastructure. Compromise of access and session tokens can lead to unauthorized access to video feeds, potentially exposing sensitive surveillance data. This breach of confidentiality can undermine privacy compliance obligations under regulations such as the GDPR. Furthermore, attackers could manipulate or disrupt device operation, impacting availability and integrity of security monitoring systems. Organizations relying on Reolink devices for perimeter security, facility monitoring, or remote surveillance could face increased risks of espionage, data theft, or sabotage. The vulnerability also poses risks to managed service providers and integrators who deploy these devices across multiple client sites, potentially amplifying the scope of impact. Given the critical severity and ease of exploitation, European entities must treat this vulnerability as a high-priority security risk.

Immediate mitigation steps include: 1) Restrict network access to Reolink devices and associated management applications by implementing network segmentation and firewall rules to limit exposure to trusted networks only. 2) Monitor network traffic for unusual access patterns or unauthorized token usage that could indicate exploitation attempts. 3) Enforce strong authentication and session management policies on backend services to detect and invalidate suspicious sessions promptly. 4) Engage with Reolink to obtain official patches or firmware updates addressing this vulnerability as soon as they become available. 5) Where possible, replace or upgrade vulnerable devices with versions confirmed to be free of hardcoded cryptographic keys. 6) Educate security teams and users about the risks of hardcoded keys and the importance of secure key management. 7) Consider deploying endpoint detection and response (EDR) solutions capable of detecting reverse engineering or tampering attempts on client applications. 8) Conduct regular security assessments and penetration tests focusing on IoT device security to identify similar weaknesses proactively.