← back
CVE-2021-27561

CVE-2021-27561

CVSS 9.8 CRITICALEPSS 82.5%● KEVCWE-78
Vexday Risk Score
95Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 9.8EPSS 82.5%KEV simPoC Nuclei simMetasploit Patch
Lifecycle
15 Oct 2021Published on NVD
03 Nov 2021Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

Yealink Device Management allows attackers to run commands with root privileges without logging in, through a specific web address. This lets attackers take complete control of the device.

Technical detail

An unauthenticated remote attacker can inject arbitrary OS commands via the /sm/api/v1/firewall/zone/services endpoint in Yealink DM 3.6.0.20, resulting in code execution with root privileges. The vulnerability stems from insufficient input validation on user-supplied parameters passed to system command execution functions (CWE-78 OS Command Injection).

Summary generated and translated by AI from the official description.
Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://ssd-disclosure.com/?p=4688https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27561