cbcvebase.
CVE-2025-29660
published 2025-04-21

CVE-2025-29660: A vulnerability exists in the daemon process of the Yi IOT XY-3820 v6.0.24.10, which exposes a TCP service on port 6789. This service lacks proper input…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.22%
65.0th percentile
A vulnerability exists in the daemon process of the Yi IOT XY-3820 v6.0.24.10, which exposes a TCP service on port 6789. This service lacks proper input validation, allowing attackers to execute arbitrary scripts present on the device by sending specially crafted TCP requests using directory traversal techniques.

Affected

2 ranges
VendorProductVersion rangeFixed in
msrccm1_kernel_5.4.91-1_on_cbl_mariner_1.0
yiiotxy-3820_firmware

Detection & IOCsextracted from sources · hover to see the quote

port6789/tcp
path/usr/bin/cmd
snort
alert tcp any any -> $HOME_NET 6789 (msg:"ET WEB_SPECIFIC_APPS Yi IOT XY-3820 Daemon Service Directory Traversal Attempt"; flow:established,to_server; pcre:"/[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/"; content:"/usr/bin/cmd"; fast_pattern; endswith; reference:cve,2025-29660; reference:url,github.com/Yasha-ops/RCE-YiIOT; classtype:attempted-admin; sid:2061774; rev:1; metadata:affected_product IP_Camera, attack_target IoT, tls_state plaintext, created_at 2025_04_21, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit traffic targets TCP port 6789 inbound to the device; monitor for established connections to this port on IoT/camera segments.
  • Detect directory traversal sequences in TCP payloads to port 6789: look for repeated dot-dot-slash patterns including URL-encoded variants (%2e, %2f, %5c).
  • Payloads ending with /usr/bin/cmd are a strong indicator of exploitation; use this as a fast-pattern anchor in network signatures.
  • Traffic is plaintext (no TLS); deploy detection at both perimeter and internal network boundaries.
  • Maps to MITRE ATT&CK T1190 (Exploit Public-Facing Application) under Initial Access (TA0001); correlate with other IoT exploitation indicators.
  • ·Vulnerable device is specifically Yi IOT XY-3820 firmware version 6.0.24.10; confirm device inventory before deploying targeted signatures.
  • ·The Snort/Suricata rule (ET sid:2061774) targets $HOME_NET on port 6789; ensure $HOME_NET is correctly scoped to include IoT/camera network segments where these devices are deployed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc4.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.