CVE-2019-11001

Name: CVE-2019-11001
Creator: NVD / NIST
Published: 2019-04-08T17:29:00.59+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.2/10Actively ExploitedEPSS 38.37%

Last modified Jun 17, 2026

CVE-2019-11001 is a high-severity vulnerability rated 7.2/10 on the CVSS scale. On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W devices through 1.0.227, an authenticated admin can use the "TestEmail" functionality to inject and run OS commands as root, as demonstrated by shell metacharacters in the addr1 field.. CISA has confirmed active exploitation in the wild. EPSS estimates a 38.37% chance of exploitation in the next 30 days.

Description

On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W devices through 1.0.227, an authenticated admin can use the "TestEmail" functionality to inject and run OS commands as root, as demonstrated by shell metacharacters in the addr1 field.

Metrics

CVSS 3.1

7.2/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

38.37%

98.4th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by Jan 8, 2025.

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Reolink	Rlc-410w Firmware	<= 1.0.227
Reolink	C1 Pro Firmware	<= 1.0.227
Reolink	C2 Pro Firmware	<= 1.0.227
Reolink	Rlc-422w Firmware	<= 1.0.227
Reolink	Rlc-511w Firmware	<= 1.0.227

References

https://github.com/mcw0/PoC/blob/master/Reolink-IPC-RCE.pyExploit, Third Party Advisory
https://www.vdoo.com/blog/working-with-the-community-%E2%80%93-significant-vulnerabilities-in-reolink-cameras/Broken Link, Exploit, Third Party Advisory
https://github.com/mcw0/PoC/blob/master/Reolink-IPC-RCE.pyExploit, Third Party Advisory
https://www.vdoo.com/blog/working-with-the-community-%E2%80%93-significant-vulnerabilities-in-reolink-cameras/Broken Link, Exploit, Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11001US Government Resource

Timeline

Published: Apr 8, 2019
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2019-11001?

How severe is CVE-2019-11001?

CVE-2019-11001 has a CVSS score of 7.2/10 (HIGH severity). The EPSS model estimates a 38.37% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2019-11001?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-11001?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST