CVE-2025-55630 is a vulnerability identified in the Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime, specifically affecting firmware version 3.0.0.4662_2503122283. The vulnerability arises from a discrepancy in the error messages returned by the device's login function when incorrect credentials are submitted. More precisely, when an attacker attempts to log in with a wrong username or password, the device responds with different error messages depending on whether the username exists or not. This behavior enables an attacker to perform account enumeration attacks by systematically submitting login attempts and analyzing the error responses to determine valid usernames registered on the device. Although this vulnerability does not directly allow unauthorized access, it leaks information about valid accounts, which can be leveraged in subsequent attacks such as brute force password guessing or targeted phishing. The vulnerability does not have a CVSS score assigned yet, and no known exploits have been reported in the wild. The affected product is a consumer IoT device used for home security and monitoring, which typically has network connectivity and may be accessible remotely depending on user configuration. The lack of patch information suggests that remediation may not yet be available or publicly disclosed. This vulnerability highlights the importance of consistent error handling in authentication mechanisms to prevent information leakage.

For European organizations, the impact of this vulnerability depends largely on the deployment context of the affected Reolink video doorbell devices. While primarily consumer-focused, these devices may also be used in small offices, retail locations, or branch sites of larger organizations. The ability to enumerate valid usernames can facilitate targeted brute force attacks, potentially leading to unauthorized access to the device. Compromise of such devices could allow attackers to monitor video feeds, invade privacy, or use the device as a foothold within a network. In environments where these devices are integrated into broader security or building management systems, the risk escalates as attackers might pivot to other internal resources. Additionally, the exposure of valid usernames can aid social engineering or credential stuffing attacks against users who reuse passwords across services. Given the increasing adoption of IoT devices in European enterprises and smart buildings, this vulnerability poses a moderate risk to confidentiality and privacy, with potential secondary impacts on integrity and availability if attackers leverage the device for further attacks.

To mitigate this vulnerability, organizations and users should first verify if a firmware update or patch is available from Reolink addressing this issue and apply it promptly. In the absence of an official patch, users should consider the following practical steps: 1) Disable remote access to the device unless absolutely necessary, restricting management interfaces to trusted local networks. 2) Implement network segmentation to isolate IoT devices from critical business systems, limiting lateral movement opportunities. 3) Enforce strong, unique passwords for all device accounts to reduce the risk of successful brute force attacks following username enumeration. 4) Monitor device logs and network traffic for repeated failed login attempts indicative of enumeration or brute force activity. 5) Where possible, enable multi-factor authentication or additional access controls to strengthen authentication security. 6) Consider replacing vulnerable devices with alternatives that follow secure authentication practices if patching is not feasible. 7) Educate users about the risks of credential reuse and phishing attacks that could be facilitated by leaked username information.