CVE-2025-29660

Name of the Vulnerable Software and Affected Versions Yi IOT XY-3820 version 6.0.24.10

Description A vulnerability exists in the daemon process of the Yi IOT XY-3820, which exposes a TCP service on port 6789. This service lacks proper input validation, allowing attackers to execute arbitrary scripts present on the device by sending specially crafted TCP requests using directory traversal techniques.

Recommendations For version 6.0.24.10, as a temporary workaround, consider restricting access to the TCP service on port 6789 until a patch is available. Avoid using directory traversal techniques in TCP requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.