Vulnerabilites related to yealink - configuration_encryption_tool
Vulnerability from fkie_nvd
Published
2024-02-23 23:15
Modified
2025-03-25 18:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
An issue was discovered in Yealink Configuration Encrypt Tool (AES version) and Yealink Configuration Encrypt Tool (RSA version before 1.2). There is a single hardcoded key (used to encrypt provisioning documents) across customers' installations.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/gitaware/CVE/tree/main/CVE-2024-24681 | Third Party Advisory | |
| cve@mitre.org | https://seclists.org/fulldisclosure/2024/Feb/22 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gitaware/CVE/tree/main/CVE-2024-24681 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://seclists.org/fulldisclosure/2024/Feb/22 | Mailing List |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| yealink | configuration_encryption_tool | * | |
| yealink | configuration_encryption_tool | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:yealink:configuration_encryption_tool:*:*:*:*:rsa:*:*:*",
"matchCriteriaId": "9036114A-94DC-4846-841D-5B33B0648D19",
"versionEndExcluding": "1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:yealink:configuration_encryption_tool:-:*:*:*:aes:*:*:*",
"matchCriteriaId": "F6F45166-A35B-463E-B62F-37E7B0D69334",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Yealink Configuration Encrypt Tool (AES version) and Yealink Configuration Encrypt Tool (RSA version before 1.2). There is a single hardcoded key (used to encrypt provisioning documents) across customers\u0027 installations."
},
{
"lang": "es",
"value": "Clave AES insegura en la herramienta de cifrado de configuraci\u00f3n de Yealink inferior a la versi\u00f3n 1.2. Se filtr\u00f3 una \u00fanica clave AES codificada en todo el proveedor en la herramienta de configuraci\u00f3n utilizada para cifrar los documentos de aprovisionamiento, lo que comprometi\u00f3 la confidencialidad de los documentos de aprovisionamiento."
}
],
"id": "CVE-2024-24681",
"lastModified": "2025-03-25T18:15:31.937",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-02-23T23:15:09.687",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gitaware/CVE/tree/main/CVE-2024-24681"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List"
],
"url": "https://seclists.org/fulldisclosure/2024/Feb/22"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gitaware/CVE/tree/main/CVE-2024-24681"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://seclists.org/fulldisclosure/2024/Feb/22"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-798"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-798"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-20 00:15
Modified
2025-08-26 14:36
Severity ?
Summary
Yealink Config Encrypt Tool add RSA before 1.2 has a built-in RSA key pair, and thus there is a risk of decryption by an adversary.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| yealink | configuration_encryption_tool | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:yealink:configuration_encryption_tool:*:*:*:*:rsa:*:*:*",
"matchCriteriaId": "9036114A-94DC-4846-841D-5B33B0648D19",
"versionEndExcluding": "1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Yealink Config Encrypt Tool add RSA before 1.2 has a built-in RSA key pair, and thus there is a risk of decryption by an adversary."
},
{
"lang": "es",
"value": "Yealink Config Encrypt Tool agrega RSA anterior a 1.2 tiene un par de claves RSA incorporado y, por lo tanto, existe el riesgo de que un adversario lo descifre."
}
],
"id": "CVE-2022-48625",
"lastModified": "2025-08-26T14:36:46.143",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-02-20T00:15:14.393",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.yealink.com/en/trust-center/security-advisories/yealink-config-encrypt-tool-hardcoded-encryption-password-vulnerability"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.yealink.com/en/trust-center/security-advisories/yealink-config-encrypt-tool-hardcoded-encryption-password-vulnerability"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-321"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
CVE-2024-24681 (GCVE-0-2024-24681)
Vulnerability from cvelistv5
Published
2024-02-23 00:00
Modified
2025-03-25 17:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Yealink Configuration Encrypt Tool (AES version) and Yealink Configuration Encrypt Tool (RSA version before 1.2). There is a single hardcoded key (used to encrypt provisioning documents) across customers' installations.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-24681",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-04T21:20:30.937842Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T17:32:39.675Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:11.066Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gitaware/CVE/tree/main/CVE-2024-24681"
},
{
"tags": [
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2024/Feb/22"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Yealink Configuration Encrypt Tool (AES version) and Yealink Configuration Encrypt Tool (RSA version before 1.2). There is a single hardcoded key (used to encrypt provisioning documents) across customers\u0027 installations."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-28T07:30:32.031Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/gitaware/CVE/tree/main/CVE-2024-24681"
},
{
"url": "https://seclists.org/fulldisclosure/2024/Feb/22"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-24681",
"datePublished": "2024-02-23T00:00:00.000Z",
"dateReserved": "2024-01-26T00:00:00.000Z",
"dateUpdated": "2025-03-25T17:32:39.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-48625 (GCVE-0-2022-48625)
Vulnerability from cvelistv5
Published
2024-02-19 00:00
Modified
2024-08-29 15:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Yealink Config Encrypt Tool add RSA before 1.2 has a built-in RSA key pair, and thus there is a risk of decryption by an adversary.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T15:17:55.510Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.yealink.com/en/trust-center/security-advisories/yealink-config-encrypt-tool-hardcoded-encryption-password-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:yealink:config_encrypt_tool_add_rsa:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "config_encrypt_tool_add_rsa",
"vendor": "yealink",
"versions": [
{
"lessThan": "1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-48625",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T16:46:45.877597Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T15:23:31.208Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Yealink Config Encrypt Tool add RSA before 1.2 has a built-in RSA key pair, and thus there is a risk of decryption by an adversary."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-19T23:58:29.853666",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.yealink.com/en/trust-center/security-advisories/yealink-config-encrypt-tool-hardcoded-encryption-password-vulnerability"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-48625",
"datePublished": "2024-02-19T00:00:00",
"dateReserved": "2024-02-19T00:00:00",
"dateUpdated": "2024-08-29T15:23:31.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}