CVE-2025-52917: CWE-770 Allocation of Resources Without Limits or Throttling in Yealink RPS
The Yealink RPS API before 2025-05-26 lacks rate limiting, potentially enabling information disclosure via excessive requests.
AI Analysis
Technical Summary
CVE-2025-52917 is a medium-severity vulnerability affecting the Yealink RPS (Redirection and Provisioning Service) API versions prior to May 26, 2025. The core issue is the lack of rate limiting or throttling controls on the API, which allows an attacker to send excessive requests without restriction. This vulnerability is categorized under CWE-770, which refers to the allocation of resources without limits or throttling. Exploiting this flaw could lead to information disclosure, as the API may respond with sensitive data when overwhelmed by a high volume of requests. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity. It requires some level of privileges (PR:L) but no user interaction (UI:N). The CVSS v3.1 base score is 4.3, indicating a medium severity impact primarily on confidentiality, with no impact on integrity or availability. There are no known exploits in the wild at this time, and no patches have been linked yet. The vulnerability affects the Yealink RPS product, which is widely used for provisioning and managing Yealink VoIP phones and related communication devices.
Potential Impact
For European organizations, this vulnerability poses a moderate risk, especially for enterprises and public sector entities that rely heavily on Yealink VoIP infrastructure for communication. Information disclosure could expose sensitive configuration details, user credentials, or provisioning data, potentially aiding attackers in further compromising telephony systems or conducting targeted attacks such as eavesdropping or impersonation. While the vulnerability does not directly impact system availability or integrity, the exposure of confidential provisioning information could undermine trust in communication systems and lead to privacy violations under GDPR. Organizations in sectors like finance, healthcare, government, and critical infrastructure, where secure communications are paramount, may face increased risks if this vulnerability is exploited.
Mitigation Recommendations
To mitigate this vulnerability, European organizations using Yealink RPS should implement the following specific measures: 1) Immediately monitor API usage patterns to detect abnormal request volumes indicative of abuse. 2) Apply network-level rate limiting or throttling controls via firewalls or API gateways to restrict excessive requests to the RPS API. 3) Enforce strict access controls and authentication mechanisms to limit API access only to authorized provisioning systems and administrators. 4) Segregate the RPS API network segment from general user networks to reduce exposure. 5) Regularly audit provisioning logs for suspicious activity. 6) Engage with Yealink support to obtain patches or updates addressing this vulnerability as soon as they become available. 7) Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block anomalous API request patterns. These steps go beyond generic advice by focusing on compensating controls until official patches are released.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden, Poland, Austria
CVE-2025-52917: CWE-770 Allocation of Resources Without Limits or Throttling in Yealink RPS
Description
The Yealink RPS API before 2025-05-26 lacks rate limiting, potentially enabling information disclosure via excessive requests.
AI-Powered Analysis
Technical Analysis
CVE-2025-52917 is a medium-severity vulnerability affecting the Yealink RPS (Redirection and Provisioning Service) API versions prior to May 26, 2025. The core issue is the lack of rate limiting or throttling controls on the API, which allows an attacker to send excessive requests without restriction. This vulnerability is categorized under CWE-770, which refers to the allocation of resources without limits or throttling. Exploiting this flaw could lead to information disclosure, as the API may respond with sensitive data when overwhelmed by a high volume of requests. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity. It requires some level of privileges (PR:L) but no user interaction (UI:N). The CVSS v3.1 base score is 4.3, indicating a medium severity impact primarily on confidentiality, with no impact on integrity or availability. There are no known exploits in the wild at this time, and no patches have been linked yet. The vulnerability affects the Yealink RPS product, which is widely used for provisioning and managing Yealink VoIP phones and related communication devices.
Potential Impact
For European organizations, this vulnerability poses a moderate risk, especially for enterprises and public sector entities that rely heavily on Yealink VoIP infrastructure for communication. Information disclosure could expose sensitive configuration details, user credentials, or provisioning data, potentially aiding attackers in further compromising telephony systems or conducting targeted attacks such as eavesdropping or impersonation. While the vulnerability does not directly impact system availability or integrity, the exposure of confidential provisioning information could undermine trust in communication systems and lead to privacy violations under GDPR. Organizations in sectors like finance, healthcare, government, and critical infrastructure, where secure communications are paramount, may face increased risks if this vulnerability is exploited.
Mitigation Recommendations
To mitigate this vulnerability, European organizations using Yealink RPS should implement the following specific measures: 1) Immediately monitor API usage patterns to detect abnormal request volumes indicative of abuse. 2) Apply network-level rate limiting or throttling controls via firewalls or API gateways to restrict excessive requests to the RPS API. 3) Enforce strict access controls and authentication mechanisms to limit API access only to authorized provisioning systems and administrators. 4) Segregate the RPS API network segment from general user networks to reduce exposure. 5) Regularly audit provisioning logs for suspicious activity. 6) Engage with Yealink support to obtain patches or updates addressing this vulnerability as soon as they become available. 7) Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block anomalous API request patterns. These steps go beyond generic advice by focusing on compensating controls until official patches are released.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-06-21T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68573caff20900b727cae1f2
Added to database: 6/21/2025, 11:13:51 PM
Last enriched: 7/29/2025, 1:00:49 AM
Last updated: 8/18/2025, 1:22:23 AM
Views: 27
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.