Absolute Path Traversal Vulnerability in Yealink SIP-T38G VoIP Phone
CVE-2013-5757

Currently unrated

Key Information:

Vendor: Yealink
Status: Sip-t38g
Vendor: CVE Published:; 3 August 2014

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2013-5757?

The Yealink VoIP Phone SIP-T38G is susceptible to an absolute path traversal vulnerability, which permits remote authenticated users to read arbitrary files on the device. This is achieved through the 'dumpConfigFile' function within the 'cgiServer.exx' script, allowing an attacker to manipulate the command parameter to access sensitive data using a full pathname.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2013-5757 - Proof of Concept

References

http://www.exploit-db.com/exploits/33740

exploitx_refsource_EXPLOIT-DB

EPSS Score

9% chance of being exploited in the next 30 days.

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Aug 3, 2014
👾
Exploit known to exist
Aug 3, 2014
Vulnerability published
Aug 3, 2014
Vulnerability Reserved
Sep 18, 2013

CVE-2013-5757 Data

JSON