CVE Dictionary Entry: CVE-2021-27561
DATE PUBLISHED: 2021-01-11
Please Note:
Yealink takes the security of our customers and our products seriously. This is a living document and may be subject to updates.The latest version of this document can be found at the following URL: https://www.yealink.com/trust-center-resource
Vulnerability Summary
Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.
Product Affected
Product Family and Model | Affected | Fixed |
Yealink Device Management | <= 3.6.0.20 | 3.6.0.31 |
Solution
Yealink has released software updates to fixed the vulnerability in the new version 3.6.0.31, please update it in time.
The software, release notes, and other documentation for your voice endpoint can be found at: https://support.yealink.com/en/portal/home
Mitigation
Yealink recommends all customers upgrade to the latest version.
Contact
Any customer using an affected system who is concerned about this vulnerability within their deployment should contact Yealink Technical Support by visiting: https://support.yealink.com/en/portal/home for the latest information.
You might also find value in the high-level security guidance and security news located at: https://support.yealink.com/en/portal/home