Security vulnerability affecting Yealink phones
It has come to our attention that all releases of Yealink firmware contain a security vulnerability which puts a user’s account at risk. A breach can potentially lead to the execution of a code against the phone to make calls without your permission. The vulnerability affects all Yealink devices, including those NOT purchased directly from VoIPon. Some revisions of Yealink firmware will also allow an attacker to gain complete control of your IP Phone and SIP extension details. Vulnerability information Yealink phones are factory set with default usernames of “admin” and “user”, along with default passwords. Attackers can use several utilities to easily exploit this and instruct the phone to make calls without your permission, commonly to high cost international destinations. Yealink are currently working on an update to their firmware to resolve this problem, in the meantime the information below should be followed for all Yealink handsets deployed within your organisation. Recommendations It is important that you follow the below steps to reduce your risk of fraudulent activity. If you have purchased your phone from VoIPon configured to an extension either via our online store or from our sales team, then we are taking steps to ensure that your firmware is upgraded automatically and that the “user” password is changed. You should also ensure that the “admin” password is changed to something more secure. If you have not...
Read More