Before the issues were fixed, the vulnerabilities exposed businesses to risks including financial damage, data breaches, and even the interception of confidential communications.
Egor Dimitrenko of PT SWARM identified and helped fix two vulnerabilities in Yealink Meeting Server. Tracked as PT-2025-549411 (BDU: 2025-06898) and PT-2025-54940 (BDU: 2025-06897), they received CVSS 3.1 scores of 8.8 and 5.3, corresponding to high and medium severity. Successful exploitation could have enabled remote attackers to take control of the server, intercept calls, access sensitive data, and use the compromised system as a foothold for attacks on internal corporate networks. The findings were reported to the vendor in accordance with responsible disclosure practices, and patches have already been released (1, 2).
Yealink Network Technology is one of the world's leading vendors of unified communications and collaboration solutions, with its products used in more than 140 countries. According to threat intelligence research conducted by Positive Technologies, 692 Yealink Meeting servers worldwide remain exposed to these vulnerabilities. Most of the affected servers are located in China, which accounts for 50% of the global total, followed by Poland with 25% and Russia with 10%.
If successfully exploited, PT-2025-54941 could have enabled attackers to extract sensitive information, including user credentials. PT-2025-54940, a command injection vulnerability, could have enabled an authenticated remote attacker to achieve remote code execution (RCE) on the server. The attacker could then have used credentials obtained through exploitation of PT-2025-54941 to access the application. Used together in an exploit chain, these vulnerabilities could have given a threat actor complete control of the system with maximum privileges.
For example, by taking control of a video conferencing server, attackers could not only intercept communications but also use the compromised system as an initial foothold in the target organization. From there, they could advance further into the IT infrastructure, move laterally through the internal corporate network, and pursue their objectives. Possible consequences for affected organizations include financial losses, potentially including the theft of funds, confidential data breaches, and disruption of critical business processes.
1 The vulnerabilities have been registered on the dbugs portal, which aggregates data on vulnerabilities in software and hardware from vendors around the world.
"The vulnerabilities affected all versions earlier than 26.0.0.69 and posed a particular risk to organizations with Yealink Meeting servers exposed to the internet. Attackers would not have needed prior knowledge of passwords or other application data, because they could potentially obtain valid credentials by exploiting PT-2025-54941. With that initial foothold, organized threat groups could have penetrated further into the corporate network to steal data, disrupt systems, or prepare broader attacks."
Egor DimitrenkoSenior Penetration Testing Specialist at Positive Technologies
The vendor has released patches and recommends that customers upgrade to a secure version of Yealink Meeting Server as soon as possible, specifically version 26.0.0.69 or later. If an immediate upgrade is not feasible, additional security controls can help mitigate the risk. EDR solutions such as MaxPatrol EDR can detect malicious activity and stop an attack from progressing. Advanced NTA and NDR solutions, including PT Network Attack Discovery (PT NAD), can detect attempts to exploit these vulnerabilities, while NGFW products such as PT NGFW can block them. Web application firewalls such as PT Application Firewall, along with code security analysis tools such as PT Application Inspector, can also help identify and prevent exploitation of similar flaws.
This is the third time in the past two years that Positive Technologies experts have helped address security flaws in Yealink Meeting Server. In 2024, with Egor Dimitrenko's participation, two other serious issues were remediated. One of them also allowed attackers to remotely obtain user credentials, while the other was a command injection vulnerability. As in the current case, those earlier flaws could have been used together in an exploit chain to gain access to corporate IT infrastructure and achieve arbitrary code execution.
For up-to-date security information, visit the dbugs portal, which aggregates vulnerability data and vendor recommendations for software and hardware from vendors around the world.