PT-2024-59: OS Command Injection in Yealink Meeting Server (YMS)

CRITICAL

(9.3) CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

THREATSCAPE

Analytics articles

What are the security threats on your network?

Check your traffic-for free

Request pilot

Vulnerability type:
CWE-78:Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Vulnerability vector:

Base vulnerability score (CVSSv3.1): CVSS:3.1/ AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity (CVSSv3.1): 9.8 (critical)
Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Severity (CVSSv4.0): 9.3 (critical)

Description:

The vulnerability was identified in Yealink Meeting Server (YMS) , versions < V26.0.0.66.

The discovered vulnerability can be exploited by an internal attacker to execute commands with superuser privileges, which can lead to privilege escalation on the vulnerable host.

Vulnerability status: Confirmed by vendor

Date of vulnerability remediation: 24.11.2023

Recommendations:

Update to version V26.0.0.67 or higher

Additional information: Security advisory

Researcher: Positive Technologies

Identifier:

CVE- 2024-24091

BDU:2024-00482

Vendor:

Yealink

Vulnerable product:

Yealink Meeting Server (YMS)

Vulnerable version:

< V26.0.0.66

Get in touch

Fill in the form and our specialists
will contact you shortly

General
questions

We're happy to answer any questions you may have.

Partnership

Join us in making the world a safer place.

Request a pilot

Test drive our solutions with a customized pilot program.

PT-2024-59: OS Command Injection in Yealink Meeting Server (YMS)

Analytics articles

What are the security threats on your network?

Vulnerability type:CWE-78:Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Get in touch

Vulnerability type:
CWE-78:Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')