Widespread vulnerabilities affecting Yealink IP Phones and their Redirect and Provisioning Service (RPS) have put thousands of business communications endpoints at risk of exploitation, forcing urgent updates and raising critical questions about supply chain security in enterprise telephony. With a CVSS v4 score as high as 5.3 and flaws ranging from improper authentication controls to certificate validation errors, this alert brings renewed focus to the challenges of securing devices that underpin modern hybrid workplaces.
Yealink, headquartered in China, stands as one of the leading suppliers of Voice over IP (VoIP) hardware worldwide, with its IP phones and cloud-based RPS widely deployed across communication sectors. The RPS platform plays a pivotal role in large-scale provisioning and remote device management, letting administrators configure and deploy endpoints efficiently but also presenting an attractive target for cyberattacks. These platforms support critical sectors globally, spanning enterprises, service providers, and sensitive infrastructure.
Recent research by CloudAware’s Jeroen Hermans, disclosed via CISA, revealed multiple vulnerabilities within a broad range of Yealink SIP phones and the RPS cloud service, affecting legacy and current models used across industries. These issues include weak brute-force protections, lack of resource throttling, improper API authorization, and certificate handling deficiencies.
Models explicitly called out include:
Key update targets include:
It’s critical to remember that VPN connectivity only secures as effectively as the underlying endpoint’s own integrity—compromised phones remain a risk vector even in virtualized environments.
Critical infrastructure operators, especially those serving communications, must remain vigilant in tracking device lifecycle statuses and enforcing best-in-class network segmentation. Enterprises should invest in policy frameworks that trigger automatic alerts for end-of-support announcements or advisories, ensuring prompt action before vulnerabilities can be weaponized.
Manufacturers must continue collaborating with independent researchers and government agencies to establish a culture of transparency and rapid coordinated vulnerability disclosure. Legacy devices—often overlooked but widely deployed—require especially careful oversight to prevent their transformation into persistent entry points for ongoing campaigns.
Urgent firmware updates, network segmentation, and layered defenses must become baseline practices for all organizations reliant on IP-based voice communications. As the threat landscape evolves, proactive adaptation—rooted in robust cybersecurity hygiene and cross-industry information sharing—remains the surest path to safeguarding communications in an interconnected era.
Source: CISA Yealink IP Phones and RPS (Redirect and Provisioning Service) | CISA
Background
Yealink, headquartered in China, stands as one of the leading suppliers of Voice over IP (VoIP) hardware worldwide, with its IP phones and cloud-based RPS widely deployed across communication sectors. The RPS platform plays a pivotal role in large-scale provisioning and remote device management, letting administrators configure and deploy endpoints efficiently but also presenting an attractive target for cyberattacks. These platforms support critical sectors globally, spanning enterprises, service providers, and sensitive infrastructure.Recent research by CloudAware’s Jeroen Hermans, disclosed via CISA, revealed multiple vulnerabilities within a broad range of Yealink SIP phones and the RPS cloud service, affecting legacy and current models used across industries. These issues include weak brute-force protections, lack of resource throttling, improper API authorization, and certificate handling deficiencies.
The Vulnerabilities in Detail
Improper Restriction of Excessive Authentication Attempts (CWE-307)
Yealink’s affected phones do not limit the number of serial number verification attempts, enabling attackers to brute-force device authentication, particularly by enumerating the last five digits of serial numbers. This vulnerability (CVE-2025-52916) carries a CVSS v4 score of 2.1—low on the spectrum, but concerning at scale or when combined with other weaknesses. Information disclosure risks arise if brute-force attempts allow unauthorized actors to gain partial insight into deployed device identities or configurations.Allocation of Resources Without Limits or Throttling (CWE-770)
Phones and management infrastructure fail to implement rate limits, opening the door to attackers bombarding endpoints or the RPS with excessive requests. This second flaw, tracked as CVE-2025-52917 and rated at 5.3 (CVSS v4), can lead to systematic information disclosure without requiring significant attacker sophistication. The risk intensifies in scenarios where attackers leverage automation, potentially resulting in operational disruption or expanded reconnaissance opportunities.Incorrect Authorization on OpenAPIs (CWE-863)
Incorrect authorization logic (CVE-2025-52918) allows threat actors to access OpenAPI interfaces linked to frozen (deactivated) enterprise accounts. Despite the deactivation of these accounts, certain API endpoints remained exposed, permitting actions and queries without proper authorization. With a CVSS v4 score of 5.3, this vulnerability is particularly concerning for organizations that rely on rigorous access control in multi-tenant or managed environments.Improper Certificate Validation (CWE-295)
The certificate upload mechanism within the affected systems fails to robustly validate uploaded certificates’ content. CVE-2025-52919, also rated 5.3 in CVSS v4, means that attackers could introduce improperly formed or malicious certificates, weakening the integrity of TLS-secured sessions and potentially enabling man-in-the-middle (MitM) attacks or downgrades in cryptographic assurance.Scope of Impact
The range of affected products is extensive, touching entry-level endpoints such as the SIP-T19P_E2 through premium devices like the SIP-T57W and specialized products such as the CP920 conference unit. Importantly, all builds of the RPS platform prior to May 26, 2025, are vulnerable, which implicates customers leveraging Yealink’s cloud provisioning for bulk deployment or centralized configuration.Models explicitly called out include:
- SIP-T19P_E2, T21P_E2, T23G, T27G, T41S/SIP-T42S/T46S/T48S
- SIP-CP920, SIP-T53/T53W/T54W/T57W/T56A/T58, W52P, W60B, CP960
- Legacy models T27P/T29G/T41P/T42G/T46G/T48G and the entire T20P, T22P, T26P, T27P, T52S, T54S series
Real-World Risks and Attack Scenarios
Information Disclosure
The converging effect of authentication brute-force and rate-limiting failures is an elevated risk of information disclosure about devices, such as valid serial numbers, configuration states, or even user credentials under certain improperly locked configurations. This enables attackers to prepare for more targeted campaigns or social engineering against support teams and IT administrators.Threats to Availability and Confidentiality
Unrestricted requests can degrade RPS or device performance, potentially constituting a denial-of-service (DoS) vector. More insidious are attacks where improper authorization or invalid certificate uploads lead to persistent, low-visibility threats—such as data eavesdropping or session hijacking.Compromised Supply Chain and Configuration Integrity
With phones typically deployed in networks with little physical oversight, supply chain attacks that compromise device integrity during manufacturing, shipping, or initial configuration become plausible. Attackers privy to device serial numbers or able to inject rogue certificates via the provisioning system may exploit these weaknesses before IT teams can establish hardened postures.Mitigation Actions and Recommendations
Urgent Software Updates
Administrators are strongly advised to immediately update all impacted IP phones to the patched firmware versions specified by Yealink. These firmware releases close the highlighted loopholes and address core deficiencies in authentication, rate-limiting, certificate handling, and API security.Key update targets include:
- Entry-level to professional desk phones: Update to at least versions 53.84.0.160, 52.84.0.160, 44.84.0.160, 76.84.0.160, 66.86.0.83, and others as prescribed for each variant.
- Conference units and cordless solutions: Updates like 78.86.0.15 (CP920), 73.86.0.160 (CP960), 25.81.0.160 (W52P), and 77.85.0.160 (W60B) are essential.
- RPS Cloud Service: Yealink has rolled out fixes across all active cloud instances—users should verify their account status and provisioning configuration for any custom or private-deployed builds.
- End-of-support models: Devices such as T20P, T22P, T26P, T27P, T52S, T54S are no longer receiving RPS support, so alternative mitigations or device retirement should be evaluated.
Network Isolation and Hardening
Best practices recommend keeping control system devices and related endpoints off directly accessible network segments—especially isolating them from internet exposure. Devices should reside behind firewalls and be segmented from general business networks, with remote access tightly controlled via up-to-date VPN solutions.It’s critical to remember that VPN connectivity only secures as effectively as the underlying endpoint’s own integrity—compromised phones remain a risk vector even in virtualized environments.
Defense-in-Depth
Organizations are urged to adopt a “defense-in-depth” security strategy, incorporating multiple, redundant layers including:- Least-privilege access control for both administrative interfaces and OpenAPI endpoints
- Consistent and timely patch management
- Rigorous certificate management, including validation and revocation checks
- Monitoring and alerting on unusual traffic or configuration changes relating to voice infrastructure
Critical Analysis: Strengths and Persistent Gaps
Notable Strengths in Yealink’s Response
- Rapid Patching: Yealink responded promptly with firmware updates and a swift cloud-side patch for all active RPS deployments. This rapid response is vital in mitigating newly disclosed weaknesses before exploitation becomes widespread.
- Transparent Communication: The publication of explicit firmware versions and in-scope product listings simplifies the update process for IT teams, promoting timely remediation.
- Industry Collaboration: The joint disclosure with CISA and acknowledgement of independent research promotes industry-wide vigilance—and illustrates a maturing security posture.
Potential Risks and Lasting Challenges
- Legacy Hardware Exposure: Several affected models—including some that form the backbone of small office installations—remain out of support. These pose a continued risk as attackers refine methods to exploit vulnerabilities, particularly in environments slow to retire legacy kit.
- Supply Chain Complexity: Given the widespread, global nature of Yealink deployments, ensuring every customer—especially those in critical sectors or with distributed assets—receives and applies mandated updates remains a massive logistical challenge.
- Enterprise Awareness Gaps: Many organizations rely on third-party managed service providers (MSPs) and large-scale integrators, which can lead to misalignment in vulnerability response timelines and security priorities.
- Certificate Validation Issue: Improper certificate validation, if exploited, could undermine broader communications security, not just within Yealink phones but in how they interoperate with SIP proxies and encrypted backend services.
The Bigger Picture: Securing the Future of VoIP
The Yealink RPS advisory underscores the strategic importance of supply chain security, device lifecycle management, and rapid vulnerability response in the VoIP sector. With communications infrastructure increasingly targeted by sophisticated actors—from criminal groups to state-linked adversaries—any friction in remediation or lapses in device isolation can have cascading impacts, ranging from information leaks to network-wide telephony outages.Critical infrastructure operators, especially those serving communications, must remain vigilant in tracking device lifecycle statuses and enforcing best-in-class network segmentation. Enterprises should invest in policy frameworks that trigger automatic alerts for end-of-support announcements or advisories, ensuring prompt action before vulnerabilities can be weaponized.
Manufacturers must continue collaborating with independent researchers and government agencies to establish a culture of transparency and rapid coordinated vulnerability disclosure. Legacy devices—often overlooked but widely deployed—require especially careful oversight to prevent their transformation into persistent entry points for ongoing campaigns.
Conclusion
The newly disclosed vulnerabilities affecting Yealink IP Phones and the associated RPS cloud provisioning service illustrate persistent challenges in securing business-critical communications infrastructure. While vendor response has been swift and coordinated, organizational inertia, legacy product footprints, and supply chain complexities leave gaps that determined attackers may seek to exploit.Urgent firmware updates, network segmentation, and layered defenses must become baseline practices for all organizations reliant on IP-based voice communications. As the threat landscape evolves, proactive adaptation—rooted in robust cybersecurity hygiene and cross-industry information sharing—remains the surest path to safeguarding communications in an interconnected era.
Source: CISA Yealink IP Phones and RPS (Redirect and Provisioning Service) | CISA
