CVE-2025-66737 is a directory traversal vulnerability identified in the Yealink T21P_E2 IP phone firmware version 52.84.0.15. The flaw exists in the diagnostic component's read function, which processes requests that can be crafted to traverse directories and read arbitrary files on the device's filesystem. An attacker with normal user privileges can remotely send malicious requests to exploit this vulnerability without requiring elevated permissions or user interaction. Directory traversal vulnerabilities allow attackers to bypass intended access controls and retrieve sensitive files such as configuration files, credentials, or logs that may contain sensitive information. The Yealink T21P_E2 is a widely deployed VoIP phone model used in enterprise environments, making this vulnerability particularly concerning for organizations relying on these devices for communication. Although no public exploits or patches are currently available, the vulnerability's presence in a network-facing device increases the risk of reconnaissance and information disclosure attacks. The lack of a CVSS score complicates risk assessment, but the technical details suggest a high severity due to the potential impact on confidentiality and the ease of exploitation remotely. The vulnerability was reserved and published in December 2025, indicating recent discovery and disclosure.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive information stored on Yealink T21P_E2 phones, including configuration files, user credentials, or call logs. Such information leakage can facilitate further attacks such as credential theft, network reconnaissance, or targeted phishing campaigns. The compromise of telephony devices can also undermine the confidentiality and integrity of voice communications, potentially exposing sensitive business conversations. Organizations with large deployments of Yealink phones in sectors such as finance, government, healthcare, and critical infrastructure are at heightened risk. The remote exploitation capability without elevated privileges or user interaction increases the attack surface, especially in environments where these devices are accessible from less trusted network segments. This could lead to lateral movement within corporate networks or exposure of internal network topology. The absence of known exploits in the wild provides a window for proactive mitigation, but the lack of available patches necessitates immediate compensating controls to reduce risk.

1. Immediately inventory all Yealink T21P_E2 phones in the network and identify those running firmware version 52.84.0.15. 2. Restrict network access to the management and diagnostic interfaces of these devices using network segmentation and firewall rules, limiting access only to trusted administrative hosts. 3. Disable or restrict the diagnostic component or any unnecessary services on the affected phones if possible. 4. Monitor network traffic to and from Yealink phones for suspicious or anomalous requests that may indicate exploitation attempts. 5. Implement strict access controls and authentication mechanisms for device management interfaces to prevent unauthorized access. 6. Engage with Yealink or authorized vendors to obtain firmware updates or patches addressing this vulnerability as soon as they become available. 7. Consider deploying intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics tailored to detect directory traversal attempts targeting VoIP devices. 8. Educate IT and security teams about this vulnerability to ensure rapid response to any indicators of compromise. 9. As a longer-term measure, evaluate the security posture of VoIP devices and consider alternative solutions with stronger security guarantees if remediation is delayed.