CVE-2025-52918: CWE-863 Incorrect Authorization in Yealink RPS
Yealink RPS before 2025-05-26 does not prevent OpenAPI access by frozen enterprise accounts, allowing unauthorized access to deactivated interfaces.
AI Analysis
Technical Summary
CVE-2025-52918 is a medium-severity vulnerability affecting Yealink's RPS (Redirection and Provisioning Service) product versions prior to May 26, 2025. The vulnerability is classified under CWE-863, which relates to incorrect authorization. Specifically, the issue arises because the Yealink RPS does not properly restrict OpenAPI access for enterprise accounts that have been frozen or deactivated. This means that even if an enterprise account is frozen—typically indicating suspension or deactivation—attackers or unauthorized users with some level of privileges can still access certain OpenAPI endpoints that should no longer be available. The vulnerability allows unauthorized access to interfaces that are intended to be disabled, potentially exposing sensitive provisioning or configuration data. According to the CVSS v3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N), the attack can be performed remotely over the network with low attack complexity and requires low privileges but no user interaction. The scope is changed, indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact is limited to confidentiality, with no direct impact on integrity or availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability was published on June 21, 2025.
Potential Impact
For European organizations using Yealink RPS for device provisioning and management, this vulnerability could lead to unauthorized disclosure of sensitive provisioning data or configuration details. While the vulnerability does not allow modification or disruption of services, the leakage of confidential information could facilitate further targeted attacks, such as social engineering or lateral movement within the network. Enterprises relying on Yealink RPS for managing large fleets of VoIP devices or unified communication endpoints may face risks to operational security and privacy compliance, especially under stringent European data protection regulations like GDPR. The incorrect authorization flaw could undermine trust in device management processes and potentially expose customer or internal communication metadata. However, since exploitation requires at least low-level privileges and there is no user interaction needed, attackers with some initial access could leverage this vulnerability to escalate information gathering capabilities.
Mitigation Recommendations
European organizations should immediately verify their Yealink RPS version and upgrade to the fixed version released after May 26, 2025, once available. Until patches are applied, organizations should restrict network access to the RPS OpenAPI endpoints, limiting exposure to trusted administrative networks only. Implement strict access controls and monitor for unusual API access patterns, especially from frozen or deactivated accounts. Conduct audits of enterprise account statuses to ensure no unauthorized accounts remain active or frozen with residual access. Employ network segmentation to isolate provisioning services from general user networks. Additionally, enforce multi-factor authentication for all administrative accounts to reduce the risk of privilege misuse. Organizations should also review and update incident response plans to include detection and response to unauthorized API access attempts. Finally, coordinate with Yealink support for any vendor-specific mitigation guidance or hotfixes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Belgium, Sweden
CVE-2025-52918: CWE-863 Incorrect Authorization in Yealink RPS
Description
Yealink RPS before 2025-05-26 does not prevent OpenAPI access by frozen enterprise accounts, allowing unauthorized access to deactivated interfaces.
AI-Powered Analysis
Technical Analysis
CVE-2025-52918 is a medium-severity vulnerability affecting Yealink's RPS (Redirection and Provisioning Service) product versions prior to May 26, 2025. The vulnerability is classified under CWE-863, which relates to incorrect authorization. Specifically, the issue arises because the Yealink RPS does not properly restrict OpenAPI access for enterprise accounts that have been frozen or deactivated. This means that even if an enterprise account is frozen—typically indicating suspension or deactivation—attackers or unauthorized users with some level of privileges can still access certain OpenAPI endpoints that should no longer be available. The vulnerability allows unauthorized access to interfaces that are intended to be disabled, potentially exposing sensitive provisioning or configuration data. According to the CVSS v3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N), the attack can be performed remotely over the network with low attack complexity and requires low privileges but no user interaction. The scope is changed, indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact is limited to confidentiality, with no direct impact on integrity or availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability was published on June 21, 2025.
Potential Impact
For European organizations using Yealink RPS for device provisioning and management, this vulnerability could lead to unauthorized disclosure of sensitive provisioning data or configuration details. While the vulnerability does not allow modification or disruption of services, the leakage of confidential information could facilitate further targeted attacks, such as social engineering or lateral movement within the network. Enterprises relying on Yealink RPS for managing large fleets of VoIP devices or unified communication endpoints may face risks to operational security and privacy compliance, especially under stringent European data protection regulations like GDPR. The incorrect authorization flaw could undermine trust in device management processes and potentially expose customer or internal communication metadata. However, since exploitation requires at least low-level privileges and there is no user interaction needed, attackers with some initial access could leverage this vulnerability to escalate information gathering capabilities.
Mitigation Recommendations
European organizations should immediately verify their Yealink RPS version and upgrade to the fixed version released after May 26, 2025, once available. Until patches are applied, organizations should restrict network access to the RPS OpenAPI endpoints, limiting exposure to trusted administrative networks only. Implement strict access controls and monitor for unusual API access patterns, especially from frozen or deactivated accounts. Conduct audits of enterprise account statuses to ensure no unauthorized accounts remain active or frozen with residual access. Employ network segmentation to isolate provisioning services from general user networks. Additionally, enforce multi-factor authentication for all administrative accounts to reduce the risk of privilege misuse. Organizations should also review and update incident response plans to include detection and response to unauthorized API access attempts. Finally, coordinate with Yealink support for any vendor-specific mitigation guidance or hotfixes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-06-21T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68573caff20900b727cae1f6
Added to database: 6/21/2025, 11:13:51 PM
Last enriched: 7/29/2025, 1:01:04 AM
Last updated: 8/18/2025, 1:22:23 AM
Views: 20
Related Threats
CVE-2025-9107: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9106: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9105: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9104: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9102: Improper Export of Android Application Components in 1&1 Mail & Media mail.com App
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.