CVE-2024-24681

An issue was discovered in Yealink Configuration Encrypt Tool (AES version) and Yealink Configuration Encrypt Tool (RSA version before 1.2). There is a single hardcoded key (used to encrypt provisioning documents) across customers' installations.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/gitaware/CVE/tree/main/CVE-2024-24681	Third Party Advisory
https://seclists.org/fulldisclosure/2024/Feb/22	Mailing List
https://github.com/gitaware/CVE/tree/main/CVE-2024-24681	Third Party Advisory
https://seclists.org/fulldisclosure/2024/Feb/22	Mailing List

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:yealink:configuration_encryption_tool:::::rsa:::*
	cpe:2.3:a:yealink:configuration_encryption_tool:-::::aes:::

History

25 Feb 2025, 22:56

Type	Values Removed	Values Added
CWE		CWE-798
First Time		Yealink Yealink configuration Encryption Tool
References	~~() https://github.com/gitaware/CVE/tree/main/CVE-2024-24681 -~~	() https://github.com/gitaware/CVE/tree/main/CVE-2024-24681 - Third Party Advisory
References	~~() https://seclists.org/fulldisclosure/2024/Feb/22 -~~	() https://seclists.org/fulldisclosure/2024/Feb/22 - Mailing List
CPE		cpe:2.3:a:yealink:configuration_encryption_tool:::::rsa:::* cpe:2.3:a:yealink:configuration_encryption_tool:-::::aes:::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

Information

Published : 2024-02-23 23:15

Updated : 2025-03-25 18:15

NVD link : CVE-2024-24681

Mitre link : CVE-2024-24681

CVE.ORG link : CVE-2024-24681

JSON object : View

Products Affected

yealink

configuration_encryption_tool

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2024-24681", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-02-23T23:15:09.687", "references": [{"url": "https://github.com/gitaware/CVE/tree/main/CVE-2024-24681", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://seclists.org/fulldisclosure/2024/Feb/22", "tags": ["Mailing List"], "source": "cve@mitre.org"}, {"url": "https://github.com/gitaware/CVE/tree/main/CVE-2024-24681", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://seclists.org/fulldisclosure/2024/Feb/22", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-798"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Yealink Configuration Encrypt Tool (AES version) and Yealink Configuration Encrypt Tool (RSA version before 1.2). There is a single hardcoded key (used to encrypt provisioning documents) across customers' installations."}, {"lang": "es", "value": "Clave AES insegura en la herramienta de cifrado de configuraci\u00f3n de Yealink inferior a la versi\u00f3n 1.2. Se filtr\u00f3 una \u00fanica clave AES codificada en todo el proveedor en la herramienta de configuraci\u00f3n utilizada para cifrar los documentos de aprovisionamiento, lo que comprometi\u00f3 la confidencialidad de los documentos de aprovisionamiento."}], "lastModified": "2025-03-25T18:15:31.937", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:yealink:configuration_encryption_tool:*:*:*:*:rsa:*:*:*", "vulnerable": true, "matchCriteriaId": "9036114A-94DC-4846-841D-5B33B0648D19", "versionEndExcluding": "1.2"}, {"criteria": "cpe:2.3:a:yealink:configuration_encryption_tool:-:*:*:*:aes:*:*:*", "vulnerable": true, "matchCriteriaId": "F6F45166-A35B-463E-B62F-37E7B0D69334"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}