cbcvebase.
CVE-2021-27561
published 2021-10-15

CVE-2021-27561: Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
82.52%
99.6th percentile
Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.

Affected

1 ranges
VendorProductVersion rangeFixed in
yealinkdevice_management<= 3.6.0.20

Detection & IOCsextracted from sources · hover to see the quote

url/premise/front/getPingData?url=http://0.0.0.0:9600/sm/api/v1/firewall/zone/services?zone=;/usr/bin/id;
path/premise/front/getPingData
path/sm/api/v1/firewall/zone/services
port9600
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Yealink RCE Attempt (CVE-2021-27561)"; flow:established,to_server; http.uri; content:"/premise/front/getPingData?url=http|3a 2f 2f|0.0.0.0|3a|9600/sm/api/v1/firewall/zone/services?zone="; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; reference:url,ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27561; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27562; reference:cve,2021-27561; classtype:attempted-admin; sid:2032095; rev:3; metadata:attack_target IoT, created_at 2021_03_17, cve CVE_2021_27561, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_09_20;)
  • Exploit requests are unauthenticated GET requests to /premise/front/getPingData with a url parameter proxying to the internal port 9600 SSRF endpoint; the zone parameter contains the injected shell command.
  • Successful exploitation returns a JSON response body containing uid=, gid=, and groups= strings (output of /usr/bin/id running as root); match all three in the response body with Content-Type: application/json.
  • Use the regex (u|g)id=.* against the HTTP response body to extract and confirm root-level command execution output.
  • The Emerging Threats Snort rule (sid:2032095) fires on HTTP URIs starting with /premise/front/getPingData?url=http://0.0.0.0:9600/sm/api/v1/firewall/zone/services?zone= inbound to the protected network.
  • This vulnerability is tagged as associated with Mirai botnet activity; correlate exploitation attempts with subsequent Mirai C2 or bot propagation traffic.
  • ·The SSRF pivot uses the fixed internal address 0.0.0.0 on port 9600; the outer SSRF endpoint (/premise/front/getPingData) is the externally reachable attack surface, while the actual command injection occurs on the internal management API.
  • ·No authentication is required to reach either the SSRF endpoint or the internal command-injection API; network-level blocking of external access to the Yealink DM web interface is the primary mitigation until patching.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.