CVE-2025-68644
Unauthorized Access in Yealink RPS Exposes AutoP URLs
Publication date: 2025-12-21
Last updated on: 2025-12-21
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yealink | rps | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68644 is a high-severity vulnerability in Yealink's Remote Provisioning Service (RPS) that allows unauthorized third parties to access sensitive information, specifically AutoP URL addresses. This occurs due to broken access control and authentication failures, enabling attackers to spoof and retrieve confidential provisioning URLs without proper authorization. The issue was fixed by deploying an enhanced multi-factor authentication mechanism and other security improvements. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive provisioning information (AutoP URLs), which could allow attackers to compromise device configurations or intercept sensitive data. The impact includes a high risk to confidentiality and integrity of the system, potentially enabling attackers to spoof legitimate services and manipulate provisioning processes. However, it does not affect system availability. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should ensure that the security update released on June 27, 2025, which implements an enhanced multi-factor authentication mechanism, is deployed to your Yealink RPS instances. This update has been automatically deployed to all cloud service instances. Additionally, you should contact Yealink technical support for the latest information and consult the Security News section of Yealinkβs Technical Support Center for advanced security guidance. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of CVE-2025-68644 on compliance with common standards and regulations such as GDPR or HIPAA. However, the vulnerability involves unauthorized access to sensitive information (AutoP URL addresses), which could potentially lead to confidentiality breaches. Yealink has remediated the issue by implementing enhanced authentication mechanisms and conducting third-party penetration testing to align with industry best practices. This remediation likely supports compliance efforts by addressing broken access control and authentication failures, which are critical for protecting sensitive data under regulations like GDPR and HIPAA. Nonetheless, no direct statements about compliance impact are provided. [1, 2]