.. / CVE-2021-27561

Exploit for YeaLink DM 3.6.0.20 - Remote Command Injection (CVE-2021-27561)

Description:

Yealink Device Management (DM) 3.6.0.20 allows command injection as root via the /sm/api/v1/firewall/zone/services URI, without authentication.

Nuclei Template

View the template here CVE-2021-27561.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2021/CVE-2021-27561.yaml
Copy

References:

https://nvd.nist.gov/vuln/detail/CVE-2021-27561
https://ssd-disclosure.com/?p=4688
https://github.com/ARPSyndicate/cvemon
https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/
https://github.com/ARPSyndicate/kenzer-templates
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-27561