CVE-2021-27561

Name of the Vulnerable Software and Affected Versions Yealink Device Management version 3.6.0.20

Description The issue is related to a lack of input data sanitization in the Yealink Device Management platform, allowing a remote attacker to execute arbitrary commands as the root user. Specifically, the "/sm/api/v1/firewall/zone/services" API endpoint is vulnerable to command injection without requiring authentication.

Recommendations For Yealink Device Management version 3.6.0.20, consider disabling access to the "/sm/api/v1/firewall/zone/services" API endpoint until a patch is available. Additionally, restrict the use of the firewall/zone/services module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.