CVE-2025-68644
Unknown Unknown - Not Provided
Unauthorized Access in Yealink RPS Exposes AutoP URLs

Publication date: 2025-12-21

Last updated on: 2025-12-21

Assigner: MITRE

Description
Yealink RPS before 2025-06-27 allows unauthorized access to information, including AutoP URL addresses. This was fixed by deploying an enhanced authentication mechanism through a security update to all cloud instances.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-21
Last Modified
2025-12-21
Generated
2026-06-16
AI Q&A
2025-12-21
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68644
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yealink rps *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68644 is a high-severity vulnerability in Yealink's Remote Provisioning Service (RPS) that allows unauthorized third parties to access sensitive information, specifically AutoP URL addresses. This occurs due to broken access control and authentication failures, enabling attackers to spoof and retrieve confidential provisioning URLs without proper authorization. The issue was fixed by deploying an enhanced multi-factor authentication mechanism and other security improvements. [1, 2]

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive provisioning information (AutoP URLs), which could allow attackers to compromise device configurations or intercept sensitive data. The impact includes a high risk to confidentiality and integrity of the system, potentially enabling attackers to spoof legitimate services and manipulate provisioning processes. However, it does not affect system availability. [1, 2]

Mitigation Strategies

To mitigate this vulnerability, you should ensure that the security update released on June 27, 2025, which implements an enhanced multi-factor authentication mechanism, is deployed to your Yealink RPS instances. This update has been automatically deployed to all cloud service instances. Additionally, you should contact Yealink technical support for the latest information and consult the Security News section of Yealink’s Technical Support Center for advanced security guidance. [2]

Compliance Impact

The provided resources do not explicitly discuss the impact of CVE-2025-68644 on compliance with common standards and regulations such as GDPR or HIPAA. However, the vulnerability involves unauthorized access to sensitive information (AutoP URL addresses), which could potentially lead to confidentiality breaches. Yealink has remediated the issue by implementing enhanced authentication mechanisms and conducting third-party penetration testing to align with industry best practices. This remediation likely supports compliance efforts by addressing broken access control and authentication failures, which are critical for protecting sensitive data under regulations like GDPR and HIPAA. Nonetheless, no direct statements about compliance impact are provided. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68644. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart