CVE-2021-27561
Published: 15 October 2021
Summary
CVE-2021-27561 is a critical-severity OS Command Injection (CWE-78) vulnerability in Yealink Device Management. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Yealink Device Management (DM) version 3.6.0.20 contains an unauthenticated command injection vulnerability (CWE-78) that permits arbitrary command execution as root. The flaw is reachable at the /sm/api/v1/firewall/zone/services endpoint and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction.
An attacker with network connectivity to the affected server can submit crafted requests to the vulnerable URI and execute operating-system commands with full root privileges, resulting in complete compromise of confidentiality, integrity, and availability of the Device Management application and its host.
The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation; the associated SSD Disclosure report provides further technical details on the injection vector. No vendor-supplied patch or mitigation guidance appears in the supplied references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-14312
Vulnerability details
Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks on the /sm/api/v1/firewall/zone/services endpoint before any command execution is permitted.
Requires validation and sanitization of all input to the vulnerable URI, blocking the command-injection payload that leads to root execution.
Mandates identification and authentication of organizational users before any privileged operations on the Device Management service are allowed.