Skip to main content

Yealink T21P_E2 CVE-2025-66738

HIGH
Command Injection (CWE-77)
2025-12-26 cve@mitre.org
8.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable web diagnostic feature (AV:N/AC:L) requires a low-privilege authenticated session (PR:L) with no user interaction; command injection yields full OS control, so C/I/A all High.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 03:41 vuln.today

DescriptionCVE.org

An issue in Yealink T21P_E2 Phone 52.84.0.15 allows a remote normal privileged attacker to execute arbitrary code via a crafted request the ping function of the diagnostic component.

AnalysisAI

Authenticated command injection in the Yealink SIP-T21P_E2 IP phone (firmware 52.84.0.15) lets a remote user with normal, non-administrative privileges execute arbitrary operating-system commands by sending a crafted request to the ping utility of the diagnostic component. Because the CVSS vector reports PR:L, exploitation requires only a low-privileged authenticated session, and publicly available exploit code exists, though the EPSS probability remains modest at 0.60% (44th percentile) and the flaw is not listed in CISA KEV. Successful exploitation yields full high-impact compromise of confidentiality, integrity, and availability on the device.

Technical ContextAI

The affected asset is a Yealink SIP-T21P_E2 VoIP desk phone, an embedded Linux-based SIP endpoint identified by CPE cpe:2.3:o:yealink:sip-t21(p)e2_firmware:52.84.0.15. The vulnerability is a classic CWE-77 Command Injection: the diagnostic web component exposes a ping function that is intended to invoke the underlying OS ping binary against a user-supplied host, but it fails to sanitize the input before passing it to a shell. An attacker can append shell metacharacters (e.g. ';', '|', '&&', backticks, or '$()') to the target parameter so that the embedded OS interprets attacker-controlled data as additional commands, executing them with the privileges of the web/diagnostic service process on the phone.

RemediationAI

No vendor-released patch or fixed firmware version is identified in the available data, so remediation must rely on compensating controls. Contact Yealink for a firmware update superseding 52.84.0.15 and monitor the vendor support portal, since the provided references contain no advisory or fix URL. In the interim, restrict network access to the phone's web/diagnostic management interface by placing VoIP endpoints on a dedicated, firewalled voice VLAN and blocking access to the phone's HTTP/management ports from user and untrusted networks (side effect: administrators must manage phones from the trusted VLAN or via jump host). Change all default and weak phone/web credentials and disable unused local accounts to raise the PR:L barrier the attack depends on (side effect: minimal, but requires credential inventory). If the diagnostic/ping feature is not operationally needed, disable remote access to the diagnostic component or the web UI entirely (side effect: loss of remote troubleshooting). Finally, monitor for anomalous outbound connections or shell activity from phone IP ranges as a detection backstop.

Share

CVE-2025-66738 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy