Yealink IP Phones and RPS (Redirect and Provisioning Service)

MonitorCVSS 5ICS-CERT ICSA-25-219-08Aug 7, 2025

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Yealink IP phones and the RPS (Redirect and Provisioning Service) contain multiple information disclosure vulnerabilities affecting authentication bypass, brute-force resistance, authorization, and certificate validation. Successful exploitation could result in disclosure of sensitive information such as configuration data or call logs from affected devices. The vulnerabilities exist in various SIP phone models (T19P_E2, T21P_E2, T23G, T40G, T40P, T27G, T41S through T48S, CP920, T53 series, T56A, T58, W52P, W60B, CP960, T27P, T29G, T41P, T42G, T46G, T48G) and the RPS cloud service. Several older phone models (T20P, T22P, T26P, T52S, T54S) are no longer receiving RPS support and will not be patched.

What this means

What could happen

An attacker with valid credentials and network access to Yealink IP phones or the RPS (Redirect and Provisioning Service) could disclose sensitive information such as configuration data or call logs from the affected devices.

Who's at risk

Organizations operating Yealink IP phone systems should care. This affects Yealink SIP phones (T-series and W-series models) deployed as enterprise telecommunications equipment, as well as the Yealink RPS cloud provisioning service that manages phone configuration and firmware distribution. Utilities and municipalities with VoIP phone systems, call centers, or corporate communications infrastructure using Yealink equipment are in scope.

How it could be exploited

An attacker must first obtain valid login credentials for a Yealink IP phone or the RPS service. Once authenticated and on the same network as the device, the attacker can exploit an information disclosure vulnerability to access sensitive data stored on or transmitted by the device.

Prerequisites

Valid credentials for the affected Yealink IP phone or RPS service
Network access to the Yealink device or RPS service
Device must be running a vulnerable firmware version

No authentication required after initial accessLow complexity exploitationNo patch available for multiple models (T20P, T22P, T26P, T52S, T54S, and older T27P variants)Information disclosure could expose configuration and call data

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (33)

33 pending

ProductAffected VersionsFix Status

SIP-T19P_E2: <53.84.0.121<53.84.0.121No fix yet

SIP-T21P_E2: <52.84.0.121<52.84.0.121No fix yet

SIP-T23G: <44.84.0.121<44.84.0.121No fix yet

SIP-T40G: <76.84.0.121<76.84.0.121No fix yet

SIP-T40P: <54.84.0.121<54.84.0.121No fix yet

Remediation & Mitigation

0/17

Do now

0/1

WORKAROUNDRestrict network access to Yealink IP phones to only authorized personnel and management systems; block direct internet access to these devices

Schedule — requires maintenance window

0/14

Patching may require device reboot — plan for process interruption

Long-term hardening

0/2

HARDENINGImplement firewall rules to isolate Yealink phones from untrusted networks and restrict RPS communication to verified service endpoints

HARDENINGReview and strengthen authentication policies for Yealink device access; disable default credentials if present

CVEs (4)

CVE-2025-52916 CVE-2025-52917 CVE-2025-52918 CVE-2025-52919

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6de10e94-7055-48ea-bb2e-eedee433631a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.