QID 731237

Date Published: 2024-03-14

QID 731237: Yealink Device Management Multiple Vulnerabilities

The Yealink Device Management Platform offer a comprehensive management solution with the following key features: Unified Deployment and Management, Real-Time Monitoring with Alarm, Remote troubleshooting.

CVE-2021-27561: Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.

Affected Versions:
Yealink Device Management (DM) 3.6.0.20

QID Detection Logic (Unauthenticated):
This QID checks for vulnerable Yealink Device Management targets by sending a crafted payload to the '/sm/api/v1/firewall/zone/services' endpoint and executes id command. A vulnerable target will print the result of 'id' command.

Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected device.

CVSS V3 rated as Critical - 9.8 severity.

CVSS V2 rated as Critical - 10 severity.

Solution

Customers are advised to update to the latest firmware version provided by the vendor to mitigate this vulnerability. For information regarding the product, please refer to the Yealink Device Management Platform (YDMP)

Vendor References

CVEs related to QID 731237

CVE-2021-27561 |

Software Advisories

Advisory ID	Software	Component	Link
NA			NA

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].