Four newly disclosed security vulnerabilities in Yealink’s widely deployed IP phones and cloud-based Redirect and Provisioning Service (RPS) have thrust business communications security into urgent focus, with CISA warning that exploit could lead to information disclosure and unauthorized access. The flaws, assigned CVE identifiers 2025-52916 through 2025-52919, carry CVSS v4 scores as high as 5.3 and affect dozens of models spanning enterprise desk phones, conference units, and cordless solutions. Patching is already underway, but the advisory—released in coordination with researcher Jeroen Hermans of CloudAware—underscores the persistent risk of supply chain complexity and legacy hardware in modern VoIP environments.

Yealink, headquartered in China, is a dominant force in global VoIP hardware, with its IP phones and RPS platform used by enterprises, service providers, and critical communications sectors worldwide. The RPS service, essential for bulk provisioning and remote device management, allows administrators to deploy and configure endpoints at scale—but also presents a high-value attack surface. The vulnerabilities highlighted by CISA span improper authentication controls, missing rate limits, incorrect API authorization, and flawed certificate validation, each capable of eroding trust in voice communications infrastructure.

The Four Vulnerabilities: How They Work and What’s at Risk

CVE-2025-52916 – Brute-Force Enumeration of Device Serial Numbers (CVSS 2.1)

Affected Yealink phones do not restrict repeated serial number verification attempts, enabling attackers to brute-force the last five digits of a device’s serial number. The CVSS v4 score of 2.1 reflects the required high privileges and attack complexity, but at scale, this weakness can leak information about deployed devices. An attacker who can interact with the verification endpoint may compile valid serial numbers for reconnaissance or future targeted attacks. In environments where serial numbers correlate with provisioning templates or user accounts, the risk amplifies.

CVE-2025-52917 – Missing Rate Limiting (CVSS 5.3)

The lack of request throttling on phones and the RPS infrastructure allows threat actors to flood endpoints or cloud services with excessive queries. With a CVSS v4 base score of 5.3, this vulnerability poses a more immediate danger: automation can enable systematic information scraping, resource exhaustion, and potential denial-of-service conditions. In a real-world scenario, an attacker could repeatedly poll provisioning APIs to map active devices, then use that insight to craft convincing social engineering lures or to overload the RPS, disrupting large-scale deployments.

CVE-2025-52918 – Unauthorized Access to OpenAPIs for Frozen Accounts (CVSS 5.3)

Incorrect authorization logic in the affected products exposes OpenAPI interfaces tied to frozen (deactivated) enterprise accounts. Despite an account being suspended, certain API endpoints remain accessible without proper authentication. The result: an adversary can query or interact with deactivated interfaces, potentially extracting configuration data, provisioning details, or user credentials. This flaw is particularly alarming for managed service providers and multi-tenant environments where strict access segmentation is paramount.

CVE-2025-52919 – Improper Certificate Validation (CVSS 5.3)

The certificate upload mechanism within Yealink’s ecosystem fails to robustly validate certificate content. Attackers can upload malformed or malicious certificates, weakening the integrity of TLS sessions. This opens the door to man-in-the-middle attacks, downgrades of cryptographic assurance, and the injection of rogue certificates that could be used to impersonate legitimate services. Given that enterprise VoIP often tunnels through TLS-secured SIP trunks and encrypted admin interfaces, a subverted certificate chain could silently eviscerate communications security.

Extensive Product Impact: A Long List of Affected Models

The advisory includes a sweeping list of impacted devices, from entry-level SIP-T19P_E2 handsets to premium SIP-T57W and CP960 conference phones. All builds of the RPS cloud service prior to May 26, 2025, are vulnerable. Models explicitly noted require firmware updates to the following minimum versions:

  • SIP-T19P_E2: 53.84.0.160
  • SIP-T21P_E2: 52.84.0.160
  • SIP-T23G: 44.84.0.160
  • SIP-T40G: 76.84.0.160
  • SIP-T40P: 54.84.0.160
  • SIP-T27G: 69.86.0.160
  • SIP-T41S: 66.86.0.83
  • SIP-T42S: 66.86.0.83
  • SIP-T46S: 66.86.0.83
  • SIP-T48S: 66.86.0.83
  • SIP-CP920: 78.86.0.15
  • SIP-T53/T53W/T54W/T57W: 96.86.0.75
  • SIP-T56A: 58.86.0.160
  • SIP-T58: 58.86.0.160
  • W52P: 25.81.0.160
  • W60B: 77.85.0.160
  • CP960: 73.86.0.160

Several legacy models, including the T20P, T22P, T26P, T27P, T52S, and T54S, are no longer receiving RPS support and demand alternative mitigations or retirement.

Real-World Attack Scenarios and Business Impact

The combination of these four vulnerabilities paints a worrying picture for enterprise security teams. An attacker might first brute-force valid serial numbers, then leverage the missing rate limits to map the entire device fleet. Armed with valid identifiers, they could probe frozen accounts via the OpenAPI flaw to uncover provisioning credentials or configuration templates. Finally, injecting a rogue certificate could enable man-in-the-middle interception of sensitive voice and signaling traffic.

Beyond information disclosure, the potential for denial-of-service attacks is real: unthrottled requests can swamp the RPS, leaving administrators unable to provision or manage devices during an incident. Supply chain attacks become more plausible if adversaries compromise devices during manufacturing or shipping, then use the serial number and provisioning weaknesses to maintain persistent access post-deployment.

Mitigation: Immediate Patching and Hardening

CISA and Yealink urge a three-pronged defense: immediate firmware updates, network isolation, and defense-in-depth strategies.

  • Update all affected devices to the versions listed above. Yealink has patched all active RPS cloud instances, and users should verify their account status if they operate private deployments.
  • Isolate voice networks behind firewalls, separate from business LANs, and ensure that control plane interfaces are not exposed to the internet. When remote management is necessary, use VPNs with up-to-date security patches.
  • Adopt a defense-in-depth posture: enforce least-privilege for administrative APIs, implement rigorous certificate validation and revocation checks, and monitor for unusual traffic patterns or configuration changes in voice infrastructure.

Organizations should also conduct risk assessments before deploying any new devices or provisioning workflows, and report suspicious activity to CISA for cross-incident correlation.

Analysis: Swift Response, Lingering Challenges

Yealink’s response has been commendably swift. The company coordinated disclosure with CISA, released detailed patch information, and transparently communicated which models required updates. The public listing of exact firmware versions removes ambiguity for IT teams during emergency patching.

But the advisory also exposes systemic challenges. A significant number of affected devices—especially older models like the T20P and T22P—are now end-of-life and no longer supported. In many small and midsize businesses, these handsets remain in active use, creating a persistent attack surface. Supply chain complexity further complicates remediation: Yealink products are sold and managed through a global network of distributors and managed service providers, each with its own patching cadence. Misaligned priorities could leave vulnerable devices online for months.

The improper certificate validation flaw is particularly concerning because it undermines the foundational trust of encrypted communications. Even after patching, organizations must ensure that their certificate management processes catch and reject improperly formed certificates, or the risk of silent interception remains.

The Bigger Picture: Securing VoIP in the Hybrid Workplace

As voice communications increasingly merge with unified communications platforms and cloud services, the attack surface of IP phones extends far beyond simple dial tone. These devices are now nodes in a complex, interconnected ecosystem that includes SIP proxies, collaboration apps, and sensitive backend systems. The Yealink vulnerabilities illustrate that even mature products can harbor fundamental flaws in authentication, authorization, and cryptographic validation.

Critical infrastructure operators, especially those in the communications sector, must treat VoIP endpoints as potential entry points for broader network compromise. Regular asset inventories should track end-of-support dates, and automated alerting should trigger when security advisories are published. Manufacturers, for their part, must continue to collaborate with independent researchers and agencies like CISA to drive transparent, rapid vulnerability disclosure.

The days of treating IP phones as dumb endpoints are over. These devices hold configuration secrets, participate in authenticated sessions, and often sit on the same network as critical servers—making them prime targets for determined adversaries. The Yealink advisory is a stark reminder that security in enterprise telephony demands constant vigilance, prompt patching, and a zero-trust mindset applied to every device on the wire.