It has come to our attention that all releases of Yealink firmware contain a security vulnerability which can allow remote users to execute code against the phone to make calls without your permission. This put any extenions registered on a Yealink device at risk.
The vulnerability affects all Yealink devices, including those NOT purchased from Gradwell.
Some revisions of Yealink firmware will also allow an attacker to gain complete control of your phone and SIP extension details.
Yealink phones ship with default usernames of “admin” and “user” and default passwords, attackers can use several utilities to exploit this and instruct the phone to make calls without your permission generally to high cost international destinations.
Yealink are currently working on an update to their firmware to resolve this problem, in the meantime the information below should be followed for all Yealink handsets deployed within your organisation.
If you have purchased your phone from Gradwell, and it is configured to an extension either via our online store or from our sales team then we are taking steps to ensure that your firmware is upgraded automatically and that the "user" password is changed. However you do need to ensure that the "admin" password is set to a secure value.
All Yealink handsets running all published firmware releases.
It is important that the guidelines below are followed to ensure your phones are secure to reduce the risk of your device being compromised.
The instructions below are generic, if you have not purchased your Yealink phone from Gradwell or have made technical changes to how the device provisions then please consult with your supplier or IT department for any additional information that may be required.
Ensure that your phone is running the latest release of firmware that is available from the Yealink website. If it is not then please update your device immediately by clicking on the link, this will download the latest firmware which you can then upload to your phone. If you are unsure of the firmware upgrade procedure please read this help guide.
Ensure that both the “admin” and “user” logins for the phones web interface are protected with a strong password. You can use this free online password generator to create a suitable password which can then be updated using the phone's web based administration.
Please note it is the customers responsibility to ensure that all devices are kept up to date with the latest firmware and secured against third party attacks.