Primary

Context

Yealink YMCS OpenAPI Access Control Bypass Vulnerability for Frozen Enterprise Accounts

Vulnerability

A vulnerability exists in Yealink YMCS versions prior to 2025-05-26, where the system does not properly restrict OpenAPI access for frozen enterprise accounts. This flaw allows unauthorized users to access deactivated interfaces.

Impact

Exploitation of this vulnerability could lead to unauthorized access to deactivated OpenAPI interfaces, potentially allowing for unauthorized actions or data access through these interfaces.

Remediation

Yealink has released a security update on May 26, 2025, which has been automatically deployed to all YMCS cloud service instances. For additional information, customers can contact Yealink technical support.

Added: Jun 21, 2025, 11:23 PM

Updated: Jun 22, 2025, 12:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Yealink YMCS OpenAPI Access Control Bypass Vulnerability for Frozen Enterprise Accounts

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating