CVE-2025-14228 is a cross-site scripting vulnerability identified in the Yealink SIP-T21P E2 IP phone firmware version 52.84.0.15. The vulnerability resides in an unspecified function within the Local Directory Page component of the device's web interface. An attacker can remotely exploit this flaw by injecting malicious scripts into the web interface, which are then executed in the context of the victim's browser session when interacting with the Local Directory Page. This can lead to unauthorized actions such as session hijacking, theft of sensitive information, or manipulation of device settings. The vulnerability requires no authentication but does require user interaction, such as visiting a crafted URL or interacting with malicious content served to the device's administrator or user. The vendor Yealink has not responded to the disclosure and the affected product is no longer supported, meaning no official patches or updates are available. The CVSS 4.0 score is 5.1 (medium severity), reflecting the network attack vector, low complexity, no privileges required, but user interaction needed and limited impact on integrity and confidentiality. The exploit code has been made publicly available, increasing the risk of opportunistic attacks. The vulnerability primarily affects legacy VoIP deployments using this specific Yealink model and firmware version, which may still be in use in some organizations despite end-of-life status.

For European organizations, the impact of this vulnerability lies mainly in the potential compromise of VoIP device integrity and confidentiality. Exploitation could allow attackers to hijack administrative sessions or inject malicious scripts that alter device behavior, potentially disrupting telephony services or leaking sensitive call information. This could affect business communications, especially in sectors such as finance, healthcare, and government where secure telephony is critical. Since the device is no longer supported, organizations cannot rely on vendor patches and must consider alternative mitigations. The presence of publicly available exploit code increases the likelihood of targeted or opportunistic attacks. Additionally, compromised devices could be leveraged as footholds within internal networks, leading to broader security incidents. The risk is heightened in environments where these devices are accessible from untrusted networks or where network segmentation is weak.

Given the lack of vendor support and patches, European organizations should prioritize the replacement of Yealink SIP-T21P E2 devices running the vulnerable firmware with supported hardware. Until replacement is feasible, organizations should implement strict network segmentation to isolate VoIP devices from general user networks and the internet. Disable or restrict web interface access to trusted management networks only, using firewall rules and access control lists. Employ strong authentication and monitoring on management interfaces to detect suspicious activity. Where possible, disable unused services on the device to reduce attack surface. Regularly audit and inventory VoIP devices to identify vulnerable models and firmware versions. Educate users and administrators about the risks of interacting with suspicious links or content related to device management. Consider deploying network intrusion detection systems (NIDS) tuned to detect exploitation attempts targeting this vulnerability. Finally, maintain up-to-date backups of device configurations to enable rapid recovery if compromise occurs.