cbcvebase.
CVE-2021-27562
published 2021-05-25

CVE-2021-27562: In Arm Trusted Firmware M through 1.2, the NS world may trigger a system halt, an overwrite of secure data, or the printing out of secure data when calling…

PriorityP276medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
3.09%
86.1th percentile
In Arm Trusted Firmware M through 1.2, the NS world may trigger a system halt, an overwrite of secure data, or the printing out of secure data when calling secure functions under the NSPE handler mode.

Affected

1 ranges
VendorProductVersion rangeFixed in
trustedfirmwaretrusted_firmware-m<= 1.2.0

Detection & IOCsextracted from sources · hover to see the quote

url/premise/front/getPingData?url=http|3a 2f 2f|0.0.0.0|3a|9600/sm/api/v1/firewall/zone/services?zone=
port9600
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Yealink RCE Attempt (CVE-2021-27561)"; flow:established,to_server; http.uri; content:"/premise/front/getPingData?url=http|3a 2f 2f|0.0.0.0|3a|9600/sm/api/v1/firewall/zone/services?zone="; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; reference:url,ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27561; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27562; reference:cve,2021-27561; classtype:attempted-admin; sid:2032095; rev:3; metadata:attack_target IoT, created_at 2021_03_17, cve CVE_2021_27561, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_09_20;)
  • Exploit traffic targets Yealink Device Management servers via HTTP GET to the /premise/front/getPingData endpoint, embedding a SSRF/RCE payload referencing an internal service on port 9600
  • CVE-2021-27562 is chained with CVE-2021-27561 in the same Yealink DM pre-auth root-level RCE attack chain; detections for CVE-2021-27561 (the Snort rule above) also reference CVE-2021-27562
  • The vulnerability is exploitable from the NS (non-secure) world by calling secure functions under NSPE handler mode; monitor for unexpected NS-to-S world transitions in handler mode on Arm TrustZone-M devices
  • Affected product context: Yealink Device Management servers are the primary exploitation target in the wild per CISA KEV
  • ·The Snort rule (sid:2032095) is primarily attributed to CVE-2021-27561 (Yealink RCE) but explicitly cross-references CVE-2021-27562; both CVEs are part of the same attack chain against Yealink DM
  • ·The underlying vulnerability exists in Arm Trusted Firmware-M through version 1.2; the Yealink DM exploitation surface is the network-facing vector that triggers the TFM out-of-bounds write

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.9MEDIUMAV:L/AC:L/Au:N/C:N/I:N/A:C
vulncheck5.5MEDIUM
cisa5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.