CVE-2025-66738

An issue in Yealink T21P_E2 Phone 52.84.0.15 allows a remote normal privileged attacker to execute arbitrary code via a crafted request the ping function of the diagnostic component.

high 8.8 CVSS 3.1

Published: Dec 26, 2025

Modified: Jan 9, 2026

Vendor: Yealink

Versions: 52.84.0.15

Description

An issue in Yealink T21P_E2 Phone 52.84.0.15 allows a remote normal privileged attacker to execute arbitrary code via a crafted request the ping function of the diagnostic component.

References

http://yealink.com
https://drive.google.com/file/d/13t5ywSPJMx4487njJcH3ZTNuc_k3h4ty/view?usp=sharing

Related CVEs

CVSS Breakdown

Version	3.1
Score	8.8 / 10
Severity	high

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weakness (CWE)

CWE-77

Affected Product

Vendor	Yealink
Product	Sip-T21\(P\)E2 Firmware
Versions	52.84.0.15