Reolink Intent Redirection 1. Reporting Information Name: Team Brrester 2. Overview of Vulnerabilities Vulnerability Title: Intent Redirection Date of Discovery: 2025.05.20 Discovery Location (URL or System Path): - com.mcu.reolink/com.android.bc.ForegroundLockActivity - com.mcu.reolink/com.android.bc.login.WelcomeActivity Vulnerability Type (CWE ID): - CWE-940: Improper Verification of Source of a Communication Channel - CWE-926: Improper Export of Android Application Components Vulnerability Description: Intent redirection vulnerabilities allow an attacker to partially or completely control the user-provided intent to execute new components in the context of a vulnerable app. This vulnerability may in particular allow unauthorized access to internal functions or access to non-public components. 3. Details Impacted Products/Services: Reolink App Product Version: 4.54.0.4.20250526 Vulnerable Components: - com.mcu.reolink/com.android.bc.ForegroundLockActivity - com.mcu.reolink/com.android.bc.login.WelcomeActivity Attack Vector: