Yealink IP Phones and RPS (Redirect and Provisioning Service)
Monitor5ICS-CERT ICSA-25-219-08Aug 7, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Multiple Yealink IP phone models and RPS (Redirect and Provisioning Service) are affected by vulnerabilities related to weak credential validation, insufficient rate limiting, and improper access control. These vulnerabilities could allow a person with valid credentials to access sensitive configuration data, call history, and network information stored on the phones or RPS servers. The affected device classes include SIP-T series desk phones, CP series conference phones, W series wireless phones, and the cloud-based RPS provisioning service. Legacy phone models (SIP-T20P, SIP-T22P, SIP-T26P, T52S, T54S) are end-of-support and will not receive patches.
What this means
What could happen
An attacker with credentials could access sensitive configuration and call data stored on affected Yealink phones or RPS servers, potentially exposing network topology, user extensions, and call logs. This information could be used for social engineering or further network reconnaissance.
Who's at risk
This affects organizations using Yealink IP phones (desk phones, conference phones, and wireless devices across the SIP-T and CP series) and the Yealink RPS cloud provisioning service. Primary concern is for utilities, water authorities, and manufacturing facilities that use Yealink phones for critical voice communications and rely on RPS for centralized phone configuration and management. Legacy phone models (SIP-T20P, SIP-T22P, SIP-T26P, T52S, T54S) no longer receive support and pose additional risk.
How it could be exploited
An attacker with valid login credentials connects to a Yealink IP phone or RPS server over the network (HTTP or proprietary protocols). The attacker exploits weak credential validation (CWE-307, CWE-863) or rate limiting (CWE-770) to gain unauthorized access to configuration and call history data. They could also potentially bypass certificate validation (CWE-295) if TLS is used.
Prerequisites
- Valid user or engineer credentials for a Yealink phone or RPS account
- Network access to the phone or RPS server on the provisioning/management port (typically port 80, 443, or 8080)
- The affected device must be running a vulnerable firmware version
No patch available for many legacy modelsWeak authentication validation (CWE-307, CWE-863)Weak rate limiting (CWE-770)Certificate validation bypass possible (CWE-295)Information disclosure of call data and network configurationDefault or poorly managed credentials in field deployments
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (33)
33 pending
ProductAffected VersionsFix Status
SIP-T19P_E2: <53.84.0.121<53.84.0.121No fix yet
SIP-T21P_E2: <52.84.0.121<52.84.0.121No fix yet
SIP-T23G: <44.84.0.121<44.84.0.121No fix yet
SIP-T40G: <76.84.0.121<76.84.0.121No fix yet
SIP-T40P: <54.84.0.121<54.84.0.121No fix yet
Remediation & Mitigation
0/6
Do now
0/3HARDENINGImplement firewall rules to restrict access to Yealink phones and RPS servers to only authorized management networks; block direct internet access
HARDENINGEnforce strong, unique passwords for all Yealink phone and RPS accounts; disable default credentials if any exist
HARDENINGUse VPN or isolated management networks for remote access to phones and RPS; do not expose provisioning ports directly to untrusted networks
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
RPS (Redirect and Provisioning Service): <builds_05-26-2025
HOTFIXUpdate RPS (Redirect and Provisioning Service) to the latest cloud version deployed by Yealink (as of 05-26-2025 or later)
All products
HOTFIXUpdate Yealink phones to the patched firmware versions specified for each model (e.g., SIP-T19P_E2 to version 53.84.0.160 or higher)
Long-term hardening
0/1WORKAROUNDFor legacy phone models (SIP-T20P, SIP-T22P, SIP-T26P, T52S, T54S) no longer receiving RPS support, isolate them from the network or plan for replacement
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6de10e94-7055-48ea-bb2e-eedee433631a