Yealink SIP-T21P E2 CVE-2025-66737
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-reachable diagnostic endpoint requires low-privilege authentication; only confidentiality is impacted via file read with no integrity or availability effect.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Yealink T21P_E2 Phone 52.84.0.15 is vulnerable to Directory Traversal. A remote normal privileged attacker can read arbitrary files via a crafted request result read function of the diagnostic component.
AnalysisAI
Directory traversal in Yealink SIP-T21P(E2) IP phone firmware 52.84.0.15 exposes arbitrary files to low-privileged remote attackers via a crafted request to the diagnostic component's result read function. The flaw is confined to confidentiality impact - attackers can exfiltrate sensitive files (credentials, configuration, logs) stored on the device but cannot modify or crash it. A publicly available proof-of-concept exists, though EPSS at 0.62% indicates limited observed exploitation activity and the device is not listed in the CISA KEV catalog.
Technical ContextAI
The affected product is the Yealink SIP-T21P(E2) VoIP IP phone running firmware version 52.84.0.15, identified by CPE cpe:2.3:o:yealink:sip-t21(p)e2_firmware:52.84.0.15. The phone exposes a web-based management and diagnostic interface over the network. CWE-23 (Relative Path Traversal) describes the root cause: the diagnostic component's read function accepts user-supplied input to construct a file path but fails to sanitize path traversal sequences such as '../', allowing the constructed path to escape the intended restricted directory. Yealink IP phones run a stripped Linux-based firmware, and successful exploitation could expose files such as configuration files containing SIP credentials, provisioning data, or system files within the firmware's accessible filesystem.
RemediationAI
No vendor-released patch or official Yealink security advisory has been identified at time of analysis. The sole reference is a POC hosted on Google Drive rather than a Yealink product page or PSIRT bulletin. Defenders should check the Yealink support portal directly for firmware updates beyond 52.84.0.15 and apply any newer release if available. As compensating controls, organizations should isolate VoIP phones on a dedicated VLAN with strict ACLs that block access to the web management interface (typically TCP 80/443) from untrusted network segments - this directly removes network reachability (AV:N) as an exploitation precondition and is the most impactful mitigation available. Additionally, restrict authenticated access to the diagnostic interface to the minimum necessary accounts, change any default credentials immediately, and consider disabling the web management interface entirely if remote management is not required, using only provisioning-server-based configuration delivery instead.
More in Sip T21 P E2 Firmware
View allSame weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today