CyberSec.Space Logo
Back to CVE Browser

CVE-2021-27561

Known Exploited (CISA KEV)CRITICAL
9.8
CVSS Severity Score
EPSS Score73.6050%
EPSS Percentile95.53th
PublishedOct 15, 2021
Last ModifiedNov 10, 2025

Vulnerability Description

Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.

Affected Platforms (CPE)

๐Ÿ“ฆ
Yealink

Device Management

<= 3.6.0.20

References & Advisories

๐Ÿ”— https://ssd-disclosure.com/?p=4688
๐Ÿ”— https://ssd-disclosure.com/?p=4688
๐Ÿ”— https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27561

Related Vulnerabilities

CVE-2019-1664910.0

On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual med...

CVE-2019-1665010.0

On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same ...

CVE-2019-1264310.0

A vulnerability in the Cisco REST API virtual service container for Cisco IOS XE Software could allow an unauthenticated, remote a...

CVE-2019-1744010.0

Improper restriction of communications to Log Forwarding Card (LFC) on PA-7000 Series devices with second-generation Switch Manage...