CVE-2021-27561

What is Yealink Device Management?

Yealink Device Management is the centralized management platform for Yealink IP phones and SIP video conferencing endpoints — widely deployed in enterprise and SMB unified communications environments. The platform allows IT administrators to provision, configure, and update Yealink VoIP hardware across the organization. Because the device management server can push firmware and configuration to all managed phones, compromise of this server provides an attacker with control over the organization's entire VoIP infrastructure.

Overview

CVE-2021-27561 is a server-side request forgery (SSRF) and OS command injection vulnerability (CWE-78) in the Yealink Device Management platform. An unauthenticated remote attacker can send requests to the Yealink Device Management server that cause it to perform arbitrary HTTP requests to internal or external targets (SSRF), and in combination with CVE-2021-27562 (a related command injection vulnerability), can achieve remote code execution. The CVSS score reflects the combined unauthenticated RCE impact.

Affected Versions

Technical Details

The Yealink Device Management server exposes a phonebook/provisioning URL fetch function that allows specifying a URL for the server to retrieve. This functionality lacks authentication and URL scheme/host validation:

• SSRF vector: The server fetches attacker-specified URLs without authentication, allowing internal network reconnaissance and access to internal services not reachable from the internet
• Command injection: CVE-2021-27562 (companion vulnerability) allows OS command injection when combined with the SSRF, providing a path to full RCE on the device management server
• No authentication required: Both vulnerabilities are exploitable without any credentials
• Impact: Full code execution on the Yealink Device Management server, with subsequent ability to modify phone configurations and push malicious firmware to all managed Yealink devices
• VoIP infrastructure risk: An attacker who compromises the management server can manipulate SIP configurations, eavesdrop on calls, redirect calls, or brick phones via malicious firmware

Discovery

Identified by security researchers and reported publicly. The simultaneous CISA KEV addition with CVE-2021-27562 (the companion command injection) reflects that both vulnerabilities were being exploited together in the wild.

Exploitation Context

Confirmed active exploitation prompted the CISA KEV addition in November 2021. Yealink device management servers that are internet-accessible (deployed for remote administration of phones) are directly reachable by attackers. VoIP infrastructure compromise can support business email compromise (BEC) fraud, eavesdropping on corporate communications, and lateral movement into the corporate network through the VoIP VLAN.

Remediation

1. Apply the Yealink Device Management patch — contact Yealink support for the patched version
2. Restrict internet access to the Yealink Device Management server — it should only be accessible from the internal network or VPN-connected administrators
3. If internet exposure was present, check for signs of exploitation: unexpected phone configuration changes, unusual outbound requests from the management server
4. Place the Yealink Device Management server in a dedicated VoIP management VLAN with strict access controls
5. Review phone firmware versions on managed devices for unexpected firmware changes following potential compromise