CVE-2025-52918 is a medium-severity vulnerability affecting Yealink's RPS (Redirection and Provisioning Service) product versions prior to May 26, 2025. The vulnerability is classified under CWE-863, which relates to incorrect authorization. Specifically, the issue arises because the Yealink RPS does not properly restrict OpenAPI access for enterprise accounts that have been frozen or deactivated. This means that even if an enterprise account is frozen—typically indicating suspension or deactivation—attackers or unauthorized users with some level of privileges can still access certain OpenAPI endpoints that should no longer be available. The vulnerability allows unauthorized access to interfaces that are intended to be disabled, potentially exposing sensitive provisioning or configuration data. According to the CVSS v3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N), the attack can be performed remotely over the network with low attack complexity and requires low privileges but no user interaction. The scope is changed, indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact is limited to confidentiality, with no direct impact on integrity or availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability was published on June 21, 2025.

For European organizations using Yealink RPS for device provisioning and management, this vulnerability could lead to unauthorized disclosure of sensitive provisioning data or configuration details. While the vulnerability does not allow modification or disruption of services, the leakage of confidential information could facilitate further targeted attacks, such as social engineering or lateral movement within the network. Enterprises relying on Yealink RPS for managing large fleets of VoIP devices or unified communication endpoints may face risks to operational security and privacy compliance, especially under stringent European data protection regulations like GDPR. The incorrect authorization flaw could undermine trust in device management processes and potentially expose customer or internal communication metadata. However, since exploitation requires at least low-level privileges and there is no user interaction needed, attackers with some initial access could leverage this vulnerability to escalate information gathering capabilities.

European organizations should immediately verify their Yealink RPS version and upgrade to the fixed version released after May 26, 2025, once available. Until patches are applied, organizations should restrict network access to the RPS OpenAPI endpoints, limiting exposure to trusted administrative networks only. Implement strict access controls and monitor for unusual API access patterns, especially from frozen or deactivated accounts. Conduct audits of enterprise account statuses to ensure no unauthorized accounts remain active or frozen with residual access. Employ network segmentation to isolate provisioning services from general user networks. Additionally, enforce multi-factor authentication for all administrative accounts to reduce the risk of privilege misuse. Organizations should also review and update incident response plans to include detection and response to unauthorized API access attempts. Finally, coordinate with Yealink support for any vendor-specific mitigation guidance or hotfixes.