CVE-2025-55622 is a medium-severity vulnerability identified in Reolink software version 4.54.0.4.20250526. The issue stems from inappropriate taskAffinity settings within the application, leading to a task hijacking vulnerability classified under CWE-491 (Shared Resource with Improper Synchronization). Task affinity in Android or similar environments controls which tasks or activities are grouped together. Improper configuration can allow malicious or unintended tasks to hijack or interfere with legitimate tasks, potentially causing denial of service or unauthorized resource manipulation. The vulnerability is network exploitable (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making it relatively easy to exploit remotely. The impact is limited to confidentiality loss (C:L) and availability loss (A:L), with no integrity impact (I:N). The supplier disputes the vulnerability, claiming the behavior is intentional to maintain a predictable user experience, which suggests the design choice may trade off security for usability. No patches or known exploits are currently reported. The CVSS v3.1 base score is 6.5, indicating a medium severity. This vulnerability could allow an attacker to hijack tasks, potentially disrupting device operation or leaking limited information, but does not allow full system compromise or data integrity breaches.

For European organizations using Reolink devices, particularly in security surveillance or IoT deployments, this vulnerability could lead to partial service disruption or limited data exposure. The confidentiality impact, while low, could expose sensitive surveillance metadata or device state information. The availability impact could result in denial of service conditions, affecting continuous monitoring capabilities critical for physical security. Given the lack of required privileges or user interaction, attackers could exploit this remotely, increasing risk in exposed network environments. Organizations relying on Reolink for perimeter security or critical infrastructure monitoring may face operational risks and potential compliance issues under GDPR if personal data confidentiality is compromised. However, the absence of known exploits and the supplier's dispute may reduce immediate risk but should not lead to complacency.

Organizations should implement network segmentation to isolate Reolink devices from untrusted networks, minimizing exposure to remote exploitation. Employ strict firewall rules to restrict inbound traffic to only trusted sources and management interfaces. Monitor device behavior for anomalies indicative of task hijacking or service disruption. Since no patches are currently available, consider deploying compensating controls such as VPN access for device management and disabling unnecessary services or features that could be leveraged for exploitation. Engage with the vendor for clarification on the vulnerability status and request timely security updates or configuration guidance. Additionally, maintain up-to-date asset inventories to quickly identify affected devices and plan for eventual patch deployment once available.