CVE-2025-66737 – Yealink T21P_E2 phones running firmware 52.84.0... (How to Fix)

📋 TL;DR

Yealink T21P_E2 phones running firmware 52.84.0.15 have a directory traversal vulnerability in the diagnostic component. Remote attackers with normal privileges can read arbitrary files on the device by crafting malicious requests. This affects organizations using these specific VoIP phones in their networks.

💻 Affected Systems

Products:

Yealink T21P_E2 Phone

Versions: 52.84.0.15

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects T21P_E2 model with specific firmware version. Requires attacker to have normal user privileges on the phone.

📦 What is this software?

Sip T21\(p\)e2 Firmware by Yealink

View all CVEs affecting Sip T21\(p\)e2 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive configuration files, credentials, or system files, potentially enabling further attacks or data exfiltration.

🟠

Likely Case

Attackers read configuration files to gather network information or credentials for lateral movement within the VoIP network.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the compromised device only.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but uses normal user privileges. Crafted requests to diagnostic component can traverse directories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://yealink.com

Restart Required: Yes

Instructions:

1. Check Yealink website for security advisories
2. Download latest firmware if available
3. Upload firmware to phone via web interface
4. Reboot phone after update

🔧 Temporary Workarounds

Disable Diagnostic Access

all

Restrict access to diagnostic component via network controls

Network Segmentation

all

Isolate VoIP phones in separate VLAN with restricted access

🧯 If You Can't Patch

Segment VoIP network from critical infrastructure
Implement strict access controls to phone management interfaces

🔍 How to Verify

Check if Vulnerable:

Check phone firmware version via web interface at System > Status > Version

Check Version:

curl -s http://phone-ip/cgi-bin/version.cgi

Verify Fix Applied:

Verify firmware version is updated beyond 52.84.0.15

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in diagnostic logs
Multiple failed directory traversal attempts

Network Indicators:

HTTP requests with ../ sequences to diagnostic endpoints
Unusual file read patterns from phone IP

SIEM Query:

source="voip_logs" AND (uri="*../*" OR method="GET" AND uri="*/cgi-bin/diagnostic*")

📊 Metadata

CVE ID: CVE-2025-66737

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-23

EPSS Score: 0.08% exploit probability (22.5th percentile)

Published: December 26, 2025

Last Updated: January 9, 2026

🔗 References

http://yealink.com Product
https://drive.google.com/file/d/1MpxnCL4koKupqWWDmY3ljlybjIPD8ieD/view?usp=sharing Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66737, you might also want to check these: