Yealink is the global leader in IP telephony and in the top five producers of online conference solutions

PT SWARM experts discovered the problematic CVE-2024-48352 vulnerability (BDU:2024-07167) in the Yealink Meeting Server. With a CVSS 3.1 score of 7.5, the vulnerability can lead to leaks of the credentials and sensitive information of conference callers and allow attackers to penetrate the corporate network. The vendor was notified of the threat in line with the responsible disclosure policy and has already released a software patch.

Yealink solutions are used in over 140 countries. According to open sources, there were 461 vulnerable Yealink Meeting Server systems worldwide as of October 2024. The majority of installations are in China (64%), Russia (13%), Poland (5%), Indonesia and Brazil (3% each); Thailand, Finland, and Iran (2% each), and Germany (1%).

"Before remediation, vulnerability CVE-2024-48352 gave any attacker access to the credentials of all users in the system without authorization. In other words, attackers could log in to the Yealink Meeting Server video conferencing system on behalf of any user and intercept information in an organization," shared Egor Dimitrenko, Senior Specialist in the Security Analysis Department Penetration Testing Team, Positive Technologies.

This is the second vulnerability that Positive Technologies has helped fix in the Yealink Meeting Server video conferencing system this year. In January 2024, the PT SWARM team also discovered BDU:2024-00482 (CVE-2024-24091). If organizations haven't updated their video conferencing system, attackers can combine both these vulnerabilities to gain initial access to the corporate segment by exploiting pre-auth RCE. In other words, a cybercriminal could first log in to the system and then execute arbitrary code. The PT SWARM team urges users to install the latest version of Yealink Meeting Server as soon as possible.

To reduce the threat of this dangerous vulnerability chain being exploited, endpoint detection and response (EDR) security solutions like MaxPatrol EDR can help. MaxPatrol EDR allows you to detect malicious activity, send a signal to the SIEM system, and prevent attackers from carrying out attacks. To detect and block attempts to exploit vulnerabilities like BDU:2024-07167, it is recommended to use systems for analyzing application code security, such as PT Application Inspector, dynamic analysis tools like PT BlackBox, and web application firewalls, including PT Application Firewall or its cloud-based version, PT Cloud Application Firewall. Flaws in infrastructure can be discovered with MaxPatrol VM. Attempts to exploit a vulnerability can also be detected using PT Network Attack Discovery, network traffic analysis (NTA) solutions, and next-generation firewalls like PT NGFW.