CVE-2024-24681

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-24681
An issue was discovered in Yealink Configuration Encrypt Tool (AES version) and Yealink Configuration Encrypt Tool (RSA version before 1.2). There is a single hardcoded key (used to encrypt provisioning documents) across customers' installations.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/gitaware/CVE/tree/main/CVE-2024-24681 Third Party Advisory
https://seclists.org/fulldisclosure/2024/Feb/22 Mailing List
https://github.com/gitaware/CVE/tree/main/CVE-2024-24681 Third Party Advisory
https://seclists.org/fulldisclosure/2024/Feb/22 Mailing List
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:yealink:configuration_encryption_tool:*:*:*:*:rsa:*:*:*
cpe:2.3:a:yealink:configuration_encryption_tool:-:*:*:*:aes:*:*:*
History

25 Feb 2025, 22:56

Type Values Removed Values Added
First Time Yealink
Yealink configuration Encryption Tool
References () https://github.com/gitaware/CVE/tree/main/CVE-2024-24681 - () https://github.com/gitaware/CVE/tree/main/CVE-2024-24681 - Third Party Advisory
References () https://seclists.org/fulldisclosure/2024/Feb/22 - () https://seclists.org/fulldisclosure/2024/Feb/22 - Mailing List
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
CWE CWE-798
CPE cpe:2.3:a:yealink:configuration_encryption_tool:*:*:*:*:rsa:*:*:*
cpe:2.3:a:yealink:configuration_encryption_tool:-:*:*:*:aes:*:*:*

21 Nov 2024, 08:59

Type Values Removed Values Added
References () https://github.com/gitaware/CVE/tree/main/CVE-2024-24681 - () https://github.com/gitaware/CVE/tree/main/CVE-2024-24681 -
References () https://seclists.org/fulldisclosure/2024/Feb/22 - () https://seclists.org/fulldisclosure/2024/Feb/22 -

28 Mar 2024, 08:15

Type Values Removed Values Added
References
  • {'url': 'https://www.reddit.com/r/VOIP/comments/ys9mel/what_are_some_of_the_good_white_label_voip/', 'source': 'cve@mitre.org'}
  • () https://github.com/gitaware/CVE/tree/main/CVE-2024-24681 -
  • () https://seclists.org/fulldisclosure/2024/Feb/22 -
Summary
  • (es) Clave AES insegura en la herramienta de cifrado de configuración de Yealink inferior a la versión 1.2. Se filtró una única clave AES codificada en todo el proveedor en la herramienta de configuración utilizada para cifrar los documentos de aprovisionamiento, lo que comprometió la confidencialidad de los documentos de aprovisionamiento.
Summary (en) Insecure AES key in Yealink Configuration Encrypt Tool below verrsion 1.2. A single, vendorwide, hardcoded AES key in the configuration tool used to encrypt provisioning documents was leaked leading to a compromise of confidentiality of provisioning documents. (en) An issue was discovered in Yealink Configuration Encrypt Tool (AES version) and Yealink Configuration Encrypt Tool (RSA version before 1.2). There is a single hardcoded key (used to encrypt provisioning documents) across customers' installations.

23 Feb 2024, 23:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-02-23 23:15

Updated : 2025-03-25 18:15

NVD link : CVE-2024-24681

Mitre link : CVE-2024-24681

CVE.ORG link : CVE-2024-24681

JSON object : View

Products Affected

yealink

  • configuration_encryption_tool
CWE
CWE-798

Use of Hard-coded Credentials