CVE-2025-29660
published 2025-04-21CVE-2025-29660: A vulnerability exists in the daemon process of the Yi IOT XY-3820 v6.0.24.10, which exposes a TCP service on port 6789. This service lacks proper input…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.22%
65.0th percentile
A vulnerability exists in the daemon process of the Yi IOT XY-3820 v6.0.24.10, which exposes a TCP service on port 6789. This service lacks proper input validation, allowing attackers to execute arbitrary scripts present on the device by sending specially crafted TCP requests using directory traversal techniques.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | cm1_kernel_5.4.91-1_on_cbl_mariner_1.0 | — | — |
| yiiot | xy-3820_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/usr/bin/cmd
snort
alert tcp any any -> $HOME_NET 6789 (msg:"ET WEB_SPECIFIC_APPS Yi IOT XY-3820 Daemon Service Directory Traversal Attempt"; flow:established,to_server; pcre:"/[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/"; content:"/usr/bin/cmd"; fast_pattern; endswith; reference:cve,2025-29660; reference:url,github.com/Yasha-ops/RCE-YiIOT; classtype:attempted-admin; sid:2061774; rev:1; metadata:affected_product IP_Camera, attack_target IoT, tls_state plaintext, created_at 2025_04_21, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Exploit traffic targets TCP port 6789 inbound to the device; monitor for established connections to this port on IoT/camera segments. ↗
- →Detect directory traversal sequences in TCP payloads to port 6789: look for repeated dot-dot-slash patterns including URL-encoded variants (%2e, %2f, %5c).
- →Payloads ending with /usr/bin/cmd are a strong indicator of exploitation; use this as a fast-pattern anchor in network signatures.
- →Traffic is plaintext (no TLS); deploy detection at both perimeter and internal network boundaries.
- →Maps to MITRE ATT&CK T1190 (Exploit Public-Facing Application) under Initial Access (TA0001); correlate with other IoT exploitation indicators.
- ·Vulnerable device is specifically Yi IOT XY-3820 firmware version 6.0.24.10; confirm device inventory before deploying targeted signatures. ↗
- ·The Snort/Suricata rule (ET sid:2061774) targets $HOME_NET on port 6789; ensure $HOME_NET is correctly scoped to include IoT/camera network segments where these devices are deployed.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc4.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-chrr-x92m-658x: A vulnerability exists in the daemon process of the Yi IOT XY-3820 v6
ghsa_unreviewed·2025-04-21
CVE-2025-29660 [CRITICAL] CWE-22 GHSA-chrr-x92m-658x: A vulnerability exists in the daemon process of the Yi IOT XY-3820 v6
A vulnerability exists in the daemon process of the Yi IOT XY-3820 v6.0.24.10, which exposes a TCP service on port 6789. This service lacks proper input validation, allowing attackers to execute arbitrary scripts present on the device by sending specially crafted TCP requests using directory traversal techniques.
Microsoft
A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOC
vendor_msrc·2020-12-08·CVSS 4.4
CVE-2020-29660 [MEDIUM] CWE-416 A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOC
A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID aka CID-c8bcd9c5be24.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is iden
Suricata
ET WEB_SPECIFIC_APPS Yi IOT XY-3820 Daemon Service Directory Traversal Attempt
suricata·2025-04-21
CVE-2025-29660 ET WEB_SPECIFIC_APPS Yi IOT XY-3820 Daemon Service Directory Traversal Attempt
ET WEB_SPECIFIC_APPS Yi IOT XY-3820 Daemon Service Directory Traversal Attempt
Rule: alert tcp any any -> $HOME_NET 6789 (msg:"ET WEB_SPECIFIC_APPS Yi IOT XY-3820 Daemon Service Directory Traversal Attempt"; flow:established,to_server; pcre:"/[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/"; content:"/usr/bin/cmd"; fast_pattern; endswith; reference:cve,2025-29660; reference:url,github.com/Yasha-ops/RCE-YiIOT; classtype:attempted-admin; sid:2061774; rev:1; metadata:affected_product IP_Camera, attack_target IoT, tls_state plaintext, created_at 2025_04_21, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_techniq
No public exploits indexed.
No writeups or analysis indexed.
2025-04-21
Published