CVE-2025-52918

Published: Jun 21, 2025Modified: Jul 10, 2025

5.0

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Exploitability: 3.1 / Impact: 1.4

Source: MITRE (Secondary)

Description

Yealink RPS before 2025-05-26 does not prevent OpenAPI access by frozen enterprise accounts, allowing unauthorized access to deactivated interfaces.

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (4)

https://dnip.ch/2025/06/25/yealink-voip-phones-insecurity-by-design/

Source: cve@mitre.org

https://seclists.org/fulldisclosure/2025/Jun/20

Source: cve@mitre.org

https://support.yealink.com/en/portal/knowledge/show?id=646b44278ef325311f38303f

Source: cve@mitre.org

https://www.yealink.com/en/trust-center/security-advisories/1318c5efb82e4526

Source: cve@mitre.org

Timeline

No history available yet.