Yealink T21P_E2 CVE-2025-66738
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable web diagnostic feature (AV:N/AC:L) requires a low-privilege authenticated session (PR:L) with no user interaction; command injection yields full OS control, so C/I/A all High.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
An issue in Yealink T21P_E2 Phone 52.84.0.15 allows a remote normal privileged attacker to execute arbitrary code via a crafted request the ping function of the diagnostic component.
AnalysisAI
Authenticated command injection in the Yealink SIP-T21P_E2 IP phone (firmware 52.84.0.15) lets a remote user with normal, non-administrative privileges execute arbitrary operating-system commands by sending a crafted request to the ping utility of the diagnostic component. Because the CVSS vector reports PR:L, exploitation requires only a low-privileged authenticated session, and publicly available exploit code exists, though the EPSS probability remains modest at 0.60% (44th percentile) and the flaw is not listed in CISA KEV. Successful exploitation yields full high-impact compromise of confidentiality, integrity, and availability on the device.
Technical ContextAI
The affected asset is a Yealink SIP-T21P_E2 VoIP desk phone, an embedded Linux-based SIP endpoint identified by CPE cpe:2.3:o:yealink:sip-t21(p)e2_firmware:52.84.0.15. The vulnerability is a classic CWE-77 Command Injection: the diagnostic web component exposes a ping function that is intended to invoke the underlying OS ping binary against a user-supplied host, but it fails to sanitize the input before passing it to a shell. An attacker can append shell metacharacters (e.g. ';', '|', '&&', backticks, or '$()') to the target parameter so that the embedded OS interprets attacker-controlled data as additional commands, executing them with the privileges of the web/diagnostic service process on the phone.
RemediationAI
No vendor-released patch or fixed firmware version is identified in the available data, so remediation must rely on compensating controls. Contact Yealink for a firmware update superseding 52.84.0.15 and monitor the vendor support portal, since the provided references contain no advisory or fix URL. In the interim, restrict network access to the phone's web/diagnostic management interface by placing VoIP endpoints on a dedicated, firewalled voice VLAN and blocking access to the phone's HTTP/management ports from user and untrusted networks (side effect: administrators must manage phones from the trusted VLAN or via jump host). Change all default and weak phone/web credentials and disable unused local accounts to raise the PR:L barrier the attack depends on (side effect: minimal, but requires credential inventory). If the diagnostic/ping feature is not operationally needed, disable remote access to the diagnostic component or the web UI entirely (side effect: loss of remote troubleshooting). Finally, monitor for anomalous outbound connections or shell activity from phone IP ranges as a detection backstop.
More in Sip T21 P E2 Firmware
View allSame weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today