CVE-2025-66737 identifies a directory traversal vulnerability in the Yealink T21P_E2 IP phone firmware version 52.84.0.15. The flaw resides in the diagnostic component's file read function, which improperly sanitizes user input, allowing a remote attacker with normal privileges to craft requests that traverse directories and read arbitrary files on the device's filesystem. This vulnerability is classified under CWE-23 (Relative Path Traversal). The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring normal privileges (PR:L) but no user interaction (UI:N). The scope remains unchanged (S:U), and the impact affects confidentiality only (C:L), with no impact on integrity or availability. The vulnerability was reserved and published in December 2025, with no patches or known exploits currently available. Exploitation could expose sensitive configuration files, credentials, or call logs stored on the device, potentially aiding further attacks or information leakage. The absence of a patch necessitates immediate compensating controls to limit exposure. Given the widespread use of Yealink phones in enterprise VoIP deployments, this vulnerability poses a tangible risk to organizations relying on these devices for communication.

For European organizations, the exploitation of CVE-2025-66737 could lead to unauthorized disclosure of sensitive information such as configuration files, user credentials, or call metadata stored on Yealink T21P_E2 phones. This could facilitate further attacks, including network intrusion or eavesdropping on communications. Although the vulnerability does not directly affect system integrity or availability, the confidentiality breach can undermine trust in communication systems and potentially violate data protection regulations like GDPR if personal or sensitive data is exposed. Organizations in sectors with stringent privacy requirements (e.g., finance, healthcare, government) are particularly at risk. The impact is heightened in environments where these phones are connected to critical networks or where remote access to the devices is enabled without proper segmentation or access controls. The lack of known exploits suggests limited immediate threat, but the medium severity and ease of exploitation warrant proactive measures.

1. Immediately restrict network access to the diagnostic component of Yealink T21P_E2 phones by implementing firewall rules or network segmentation to limit exposure to trusted management networks only. 2. Disable or restrict the diagnostic file read functionality if possible via device configuration to reduce attack surface. 3. Monitor network traffic for unusual or malformed requests targeting the diagnostic interface, using intrusion detection systems or specialized VoIP security tools. 4. Maintain strict access controls and enforce strong authentication mechanisms for device management interfaces to prevent unauthorized access. 5. Engage with Yealink support or vendor channels to obtain firmware updates or patches addressing this vulnerability as soon as they become available. 6. Conduct regular security audits of VoIP infrastructure, including device firmware versions and configurations, to ensure compliance with security best practices. 7. Educate IT and security teams about this vulnerability and the importance of securing VoIP devices within the corporate network.