CVE-2025-56799 identifies a command injection vulnerability in the Reolink desktop application version 8.18.12, specifically within its scheduled cache-clearing mechanism. The vulnerability stems from improper handling of folder names that are used in command execution contexts, classified under CWE-77 (Improper Neutralization of Special Elements used in a Command). An attacker who can create or manipulate folder names processed by the cache-clearing routine could inject arbitrary commands executed with the privileges of the application. The supplier disputes the exploitability, noting that such crafted folder names would only be possible if the local user attacks themselves, implying that remote exploitation or exploitation by an unprivileged external attacker is unlikely. The CVSS 3.1 base score is 6.5 (medium), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to confidentiality and integrity. No known exploits have been reported in the wild, and no patches are currently available. The vulnerability highlights a risk in the way the application handles scheduled maintenance tasks that involve filesystem operations and command execution, which could be leveraged by an attacker with local or network access to the system running the application. The lack of authentication requirement increases the theoretical risk, but practical exploitation is limited by the need to influence folder names processed by the cache-clearing mechanism.

For European organizations, the primary impact of this vulnerability lies in the potential unauthorized execution of commands on systems running the vulnerable Reolink desktop application. This could lead to partial compromise of confidentiality and integrity of data managed or accessible by the application, including potentially sensitive video surveillance footage or configuration data. Although availability is not impacted, unauthorized command execution could facilitate further lateral movement or data exfiltration within an organization's network. The risk is mitigated somewhat by the supplier's assertion that exploitation requires local user control or self-targeting, limiting remote attack feasibility. However, organizations with multiple users or shared workstations, or those exposed to insider threats, could be at higher risk. Given the widespread use of Reolink products in security and surveillance across Europe, especially in sectors like retail, transportation, and critical infrastructure, exploitation could undermine trust in video monitoring systems and lead to regulatory compliance issues under GDPR if personal data confidentiality is compromised.

Since no official patches are currently available, European organizations should implement the following mitigations: 1) Restrict local user permissions on systems running the Reolink desktop application to prevent unauthorized creation or manipulation of folder names used by the cache-clearing mechanism. 2) Employ application whitelisting and endpoint protection solutions to monitor and block suspicious command execution originating from the Reolink application context. 3) Isolate systems running the application from untrusted networks and users to reduce exposure to potential attackers. 4) Regularly audit and monitor logs for unusual activity related to the cache-clearing process or command execution anomalies. 5) Engage with Reolink support to obtain updates on patches or official remediation guidance. 6) Consider deploying the application in sandboxed or containerized environments to limit the impact of any potential exploitation. 7) Educate users about the risks of executing untrusted files or scripts that could influence folder names or application behavior. These steps go beyond generic advice by focusing on controlling the specific attack vector—crafted folder names—and limiting the application's exposure to unauthorized local manipulation.