Post

Post 46 | Security Advisory: Unsecured UART Root Shell in Reolink Video Doorbell Wi-Fi (CVE-2025-60856)

Posted
By Shaunak Ganorkar
1 min read

Author: Shaunak Ganorkar, Traboda Cyberlabs Pvt. Ltd.
Published: October 2025
CVE ID: CVE-2025-60856
Vendor: Reolink
Product: Reolink Video Doorbell Wi-Fi – DB_566128M5MP_W
Affected Components: /etc/init.d/start_app, /etc/passwd, /dev/ttyS0
Impact: Physical Root-Level Code Execution
Severity: Medium
Status: Public

Summary

Reolink Video Doorbell Wi-Fi (DB_566128M5MP_W) exposes an unsecured UART serial console that grants direct root shell access without authentication.
This issue allows attackers with physical access to the hardware to gain full control of the device.

Vulnerability Details

  • Vulnerability Type: Incorrect Access Control
  • Attack Type: Physical
  • Impact: Privilege escalation to root via serial interface
  • Attack Vector: Connecting to UART pads during boot sequence bypasses authentication checks and spawns an unrestricted root shell.

Technical Findings

  1. The /etc/init.d/start_app script initializes services without disabling serial access.
  2. The /etc/passwd file contains no password for the root user.
  3. Serial logs revealed boot output accessible via /dev/ttyS0, providing direct access to a root shell.

Impact

  • Full root-level device control via physical console
  • Firmware modification or permanent backdoor installation
  • Access to sensitive configuration data and network credentials

Recommendations

For Users

  • Prevent physical access to devices in public or shared areas.
  • If possible, epoxy or shield exposed UART pads on production units.

For Vendor

  • Disable serial console in production firmware builds.
  • Implement secure boot and password-based shell protection.
  • Restrict maintenance interfaces to authenticated engineering modes only.

Discoverer

Shaunak Ganorkar
Traboda Cyberlabs Pvt. Ltd.

🔗 https://www.cybermaya.in
🔗 https://traboda.com
🔗 https://www.linkedin.com/in/shaunakganorkar

Disclaimer

This finding was identified via static and hardware-assisted analysis.
No unauthorized access to production environments was performed.

Research
Firmware Analysis CVE Reolink Hardware Security
This post is licensed under CC BY-NC-ND 4.0 license by the author.