CVE-2025-55621 identifies an Insecure Direct Object Reference (IDOR) vulnerability in the Reolink software version 4.54.0.4.20250526. This vulnerability allows unauthorized attackers to access and download other users' profile photos by crafting specific URLs that directly reference these objects without proper access control validation. IDOR vulnerabilities occur when an application exposes references to internal implementation objects such as files, database records, or URLs, and fails to verify the requesting user's authorization to access those objects. In this case, the Reolink platform, which includes a social feature where users can find and connect with one another, exposes profile photos in a manner that can be accessed without authentication or permission checks. The supplier disputes this classification as a vulnerability, arguing that the photos are intentionally made publicly accessible as part of the social platform's design. However, from a security perspective, this behavior can lead to unauthorized data disclosure if users expect privacy or limited access to their profile photos. The CVSS v3.1 base score is 6.5 (medium severity), reflecting the network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and low impact on confidentiality and integrity (C:L, I:L) with no impact on availability (A:N). No known exploits are reported in the wild, and no patches have been linked yet. The vulnerability is categorized under CWE-639 (Authorization Bypass Through User-Controlled Key).

For European organizations using Reolink devices or software, this vulnerability could lead to unauthorized disclosure of user profile photos, potentially violating privacy expectations and data protection regulations such as the GDPR. While the impact on confidentiality and integrity is rated low to medium, the exposure of personal images can have reputational consequences and may be exploited for social engineering or targeted phishing attacks. Organizations that deploy Reolink products in environments where user privacy is critical—such as corporate campuses, residential complexes, or public safety monitoring—may face compliance risks and user trust issues. The lack of authentication or access control in accessing profile photos means that any attacker with network access to the platform could harvest images without detection. However, since this vulnerability does not affect device functionality or availability, operational disruption is unlikely. The supplier's stance that this is intended behavior complicates mitigation and risk communication, requiring organizations to carefully assess their privacy policies and user agreements regarding data visibility on the platform.

1. Organizations should review and update privacy settings and user agreements on the Reolink platform to clearly communicate the visibility of profile photos and obtain informed consent from users. 2. Network segmentation and access controls should be implemented to restrict access to the Reolink social platform to authorized users only, limiting exposure to potential attackers. 3. Monitor network traffic for unusual access patterns or bulk downloads of profile photos that could indicate exploitation attempts. 4. Engage with the supplier to clarify the intended behavior and request options for stricter access controls or opt-out mechanisms for profile photo visibility. 5. Where possible, disable or limit the social platform features that expose user profile photos if they are not essential to organizational use cases. 6. Incorporate this vulnerability into privacy impact assessments and compliance audits to ensure alignment with GDPR and other relevant data protection laws. 7. Educate users about the potential visibility of their profile photos and encourage cautious sharing of sensitive information on the platform.