Cyber Resilience

CVE-2021-27561

CriticalCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 15 October 2021

Published
15 October 2021
Modified
10 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9411 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-27561 is a critical-severity OS Command Injection (CWE-78) vulnerability in Yealink Device Management. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Yealink Device Management (DM) version 3.6.0.20 contains an unauthenticated command injection vulnerability (CWE-78) that permits arbitrary command execution as root. The flaw is reachable at the /sm/api/v1/firewall/zone/services endpoint and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction.

An attacker with network connectivity to the affected server can submit crafted requests to the vulnerable URI and execute operating-system commands with full root privileges, resulting in complete compromise of confidentiality, integrity, and availability of the Device Management application and its host.

The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation; the associated SSD Disclosure report provides further technical details on the injection vector. No vendor-supplied patch or mitigation guidance appears in the supplied references.

EU & UK References

Vulnerability details

Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

yealink
device management
≤ 3.6.0.20

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks on the /sm/api/v1/firewall/zone/services endpoint before any command execution is permitted.

prevent

Requires validation and sanitization of all input to the vulnerable URI, blocking the command-injection payload that leads to root execution.

prevent

Mandates identification and authentication of organizational users before any privileged operations on the Device Management service are allowed.

References