CVE-2025-55629 is a security vulnerability identified in the Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime, specifically affecting firmware version 3.0.0.4662_2503122283. The vulnerability arises due to insecure permissions that allow an attacker to manipulate the 'userName' parameter to arbitrarily change other users' passwords. This flaw indicates a lack of proper access control and input validation within the device's firmware, enabling unauthorized users to escalate privileges or take over accounts without authentication. The vulnerability does not require prior authentication or user interaction, making it particularly dangerous. Although no known exploits are currently reported in the wild, the potential for exploitation exists given the nature of the flaw. The absence of a CVSS score suggests that the vulnerability is newly disclosed and has not yet undergone formal severity assessment. The core technical issue is that the device's firmware improperly handles user credential management, allowing attackers to overwrite or reset passwords of other users by tampering with the username field, which could lead to full account takeover and unauthorized access to the device's video streams and controls.

For European organizations, especially those using Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbells in office premises, residential buildings, or critical infrastructure sites, this vulnerability poses significant risks. Unauthorized password changes can lead to complete compromise of the device, allowing attackers to gain access to live video feeds, recorded footage, and potentially use the device as a foothold into the broader network. This could result in breaches of confidentiality, privacy violations, and unauthorized surveillance. Additionally, attackers could disrupt availability by locking out legitimate users or disabling the device. Organizations relying on these devices for physical security monitoring may face increased risk of undetected intrusions or sabotage. The vulnerability could also be exploited for lateral movement within networks if the device is connected to internal systems. Given the increasing adoption of IoT security devices in Europe, the impact extends beyond individual users to organizational security postures and compliance with data protection regulations such as GDPR.

To mitigate this vulnerability, European organizations should immediately verify the firmware version of their Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbells and avoid using the affected firmware version 3.0.0.4662_2503122283. Since no official patch links are currently available, organizations should monitor Reolink's official channels for firmware updates addressing this issue. In the interim, restrict network access to the devices by placing them behind firewalls or VLANs that limit exposure to untrusted networks. Implement network segmentation to isolate IoT devices from critical IT infrastructure. Employ strong network-level authentication and monitoring to detect unusual access patterns. Disable remote management features if not required. Additionally, conduct regular audits of device user accounts and credentials to detect unauthorized changes. For organizations with large deployments, consider alternative devices with better security track records until a patch is released. Finally, raise user awareness about the risks of IoT device compromise and enforce strict physical security controls to prevent local tampering.