YeaLink DM 3.6.0.20 - Remote Command Injection

Yealink Device Management DM 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication. id: CVE-2021-27561 info: name: YeaLink DM 3.6.0.20 - Remote Command Injection author: shifacyclewala,hackergautam severity: critical description: Yealink...

CVE-2025-66737

Yealink T21PE2 Phone 52.84.0.15 is vulnerable to Directory Traversal. A remote normal privileged attacker can read arbitrary files via a crafted request result read function of the diagnostic component...

CVE-2025-68644

Yealink RPS before 2025-06-27 allows unauthorized access to information (including AutoP URL addresses) due to an inadequate authentication mechanism. A security update deploying an enhanced authentication mechanism to all cloud instances fixes the issue. Affected product: Yealink RPS prior to 20...

CVE-2025-52917

The CVE applies to Yealink YMCS RPS API prior to 2025-05-26, where a lack of rate limiting enables information disclosure through excessive requests. Affected component: Yealink RPS API; root cause: missing rate-limiting controls on API endpoints, leading to potential exposure of sensitive data u...

Yealink Device Management Platform Web Interface Detection

Binary data yealinkdevicemanagementplatformwebdetect.nbin...

Yealink Device Management Platform Pre-authentication Remote Command Injection (CVE-2021-27561)

Binary data yealinkdevicemanagementplatformCVE-2021-27561.nbin...

CVE-2024-30939

An issue discovered in Yealink VP59 Teams Editions with firmware version 91.15.0.118 allows a physically proximate attacker to gain control of an account via a flaw in the factory reset procedure...

CVE-2024-30939

The CVE-2024-30939 entry affects Yealink VP59 Teams Editions firmware 91.15.0.118. The root cause is a flaw in the factory reset procedure, enabling a physically proximate attacker to gain control of an account. Documents consistently describe the attack surface as physical access and the impact ...

CVE-2024-28442

Directory Traversal vulnerability in Yealink VP59 v.91.15.0.118 allows a physically proximate attacker to obtain sensitive information via terms of use function in the company portal component...

CVE-2024-24681

An issue was discovered in Yealink Configuration Encrypt Tool AES version and Yealink Configuration Encrypt Tool RSA version before 1.2. There is a single hardcoded key used to encrypt provisioning documents across customers' installations...

CVE-2024-24681

The CVE-2024-24681 entry concerns Yealink Configuration Encrypt Tool: AES version and RSA versions before 1.2 use a single hardcoded AES key to encrypt provisioning documents, shared across customers. This weak key handling is the root cause and can compromise confidentiality of provisioning data...

CVE-2024-24681

An issue was discovered in Yealink Configuration Encrypt Tool AES version and Yealink Configuration Encrypt Tool RSA version before 1.2. There is a single hardcoded key used to encrypt provisioning documents across customers' installations...

CVE-2024-24681

An issue was discovered in Yealink Configuration Encrypt Tool AES version and Yealink Configuration Encrypt Tool RSA version before 1.2. There is a single hardcoded key used to encrypt provisioning documents across customers' installations...

Yealink Configuration Encrypt Tool Static AES Key

CloudAware Security Advisory CVE-2024-24681: Insecure AES key in Yealink Configuration Encrypt Tool ======================================================================== Summary ======================================================================== A single, vendorwide, hardcoded AES key in...

CVE-2022-48625

Yealink Config Encrypt Tool add RSA before 1.2 has a built-in RSA key pair, and thus there is a risk of decryption by an adversary...

Design/Logic Flaw

Yealink Config Encrypt Tool add RSA before 1.2 has a built-in RSA key pair, and thus there is a risk of decryption by an adversary...

CVE-2022-48625

Concerning CVE-2022-48625, the vulnerability affects Yealink Config Encrypt Tool versions prior to 1.2, which ships with a built‑in RSA key pair. This design enables potential decryption of encrypted deployment files by an adversary using the default key. The impact is a decryption risk (per the ...

CVE-2024-24091

Yealink Meeting Server before v26.0.0.66 was discovered to contain an OS command injection vulnerability via the file upload interface...

CVE-2020-24113

The CVE-2020-24113 entry describes a Directory Traversal vulnerability in the Contacts File Upload Interface of Yealink W60B (firmware version 77.83.0.85). The underlying issue is a path traversal flaw that can let an attacker access sensitive information and may cause a denial of service. The av...

Yealink Device Management Command Injection (CVE-2021-27561)

A command injection vulnerability exists in Yealink Device Management. The vulnerability is due to improper handling of a crafted HTTP request...