Skip to main content

CVE-2025-52917: CWE-770 Allocation of Resources Without Limits or Throttling in Yealink RPS

Medium
VulnerabilityCVE-2025-52917cvecve-2025-52917cwe-770
Published: Sat Jun 21 2025 (06/21/2025, 00:00:00 UTC)
Source: CVE Database V5
Vendor/Project: Yealink
Product: RPS

Description

The Yealink RPS API before 2025-05-26 lacks rate limiting, potentially enabling information disclosure via excessive requests.

AI-Powered Analysis

AILast updated: 07/29/2025, 01:00:49 UTC

Technical Analysis

CVE-2025-52917 is a medium-severity vulnerability affecting the Yealink RPS (Redirection and Provisioning Service) API versions prior to May 26, 2025. The core issue is the lack of rate limiting or throttling controls on the API, which allows an attacker to send excessive requests without restriction. This vulnerability is categorized under CWE-770, which refers to the allocation of resources without limits or throttling. Exploiting this flaw could lead to information disclosure, as the API may respond with sensitive data when overwhelmed by a high volume of requests. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity. It requires some level of privileges (PR:L) but no user interaction (UI:N). The CVSS v3.1 base score is 4.3, indicating a medium severity impact primarily on confidentiality, with no impact on integrity or availability. There are no known exploits in the wild at this time, and no patches have been linked yet. The vulnerability affects the Yealink RPS product, which is widely used for provisioning and managing Yealink VoIP phones and related communication devices.

Potential Impact

For European organizations, this vulnerability poses a moderate risk, especially for enterprises and public sector entities that rely heavily on Yealink VoIP infrastructure for communication. Information disclosure could expose sensitive configuration details, user credentials, or provisioning data, potentially aiding attackers in further compromising telephony systems or conducting targeted attacks such as eavesdropping or impersonation. While the vulnerability does not directly impact system availability or integrity, the exposure of confidential provisioning information could undermine trust in communication systems and lead to privacy violations under GDPR. Organizations in sectors like finance, healthcare, government, and critical infrastructure, where secure communications are paramount, may face increased risks if this vulnerability is exploited.

Mitigation Recommendations

To mitigate this vulnerability, European organizations using Yealink RPS should implement the following specific measures: 1) Immediately monitor API usage patterns to detect abnormal request volumes indicative of abuse. 2) Apply network-level rate limiting or throttling controls via firewalls or API gateways to restrict excessive requests to the RPS API. 3) Enforce strict access controls and authentication mechanisms to limit API access only to authorized provisioning systems and administrators. 4) Segregate the RPS API network segment from general user networks to reduce exposure. 5) Regularly audit provisioning logs for suspicious activity. 6) Engage with Yealink support to obtain patches or updates addressing this vulnerability as soon as they become available. 7) Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block anomalous API request patterns. These steps go beyond generic advice by focusing on compensating controls until official patches are released.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2025-06-21T00:00:00.000Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68573caff20900b727cae1f2

Added to database: 6/21/2025, 11:13:51 PM

Last enriched: 7/29/2025, 1:00:49 AM

Last updated: 8/18/2025, 1:22:23 AM

Views: 27

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats