Jeroen Hermans

Name of the Vulnerable Software and Affected Versions: Yealink YMCS RPS API versions prior to 2025-05-26 Description: The issue is related to the lack of rate limiting in the Yealink YMCS RPS API, which could potentially enable information disclosure via excessive requests. Recommendations: For versions prior to 2025-05-26, consider implementing rate limiting on the API to prevent excessive requests until a patch is available.

Name of the Vulnerable Software and Affected Versions: Yealink YMCS versions prior to 2025-05-26 Description: The issue allows unauthorized access to deactivated interfaces due to the lack of prevention of OpenAPI access by frozen enterprise accounts. Recommendations: For Yealink YMCS versions prior to 2025-05-26, consider restricting access to OpenAPI until a fix is applied to prevent unauthorized access by frozen enterprise accounts.

Name of the Vulnerable Software and Affected Versions: Yealink YMCS RPS versions prior to 2025-05-26 Description: The certificate upload function in Yealink YMCS RPS does not properly validate certificate content, potentially allowing invalid certificates to be uploaded. Recommendations: For versions prior to 2025-05-26, update to a version released after 2025-05-26 to ensure proper validation of certificate content.

Name of the Vulnerable Software and Affected Versions: Yealink YMCS RPS versions prior to 2025-06-04 Description: The issue is related to the lack of SN verification attempt limits, which enables brute-force enumeration of the last five digits. Recommendations: For versions prior to 2025-06-04, update to a version released after 2025-06-04 to include SN verification attempt limits and prevent brute-force enumeration.

**Name of the Vulnerable Software and Affected Versions** Paxton Net2 versions prior to 6.07.14023.5015 (SR4) **Description** Insufficient validation is performed on the REST API License file, enabling the use of the REST API with an invalid License File. This allows attackers to potentially retrieve access-log data. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For versions prior to 6.07.14023.5015 (SR4), upgrade to version 6.07.14023.5015 (SR4) or later to resolve the issue. As a temporary workaround, consider restricting access to the REST API until the upgrade is applied.