CVE-2025-29660: Input Validation
First published: Mon Apr 21 2025(Updated: )
A vulnerability exists in the daemon process of the Yi IOT XY-3820 v6.0.24.10, which exposes a TCP service on port 6789. This service lacks proper input validation, allowing attackers to execute arbitrary scripts present on the device by sending specially crafted TCP requests using directory traversal techniques.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Yi IOT XY-3820 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-29660?
CVE-2025-29660 is considered a high-severity vulnerability due to the risk of arbitrary script execution.
How do I fix CVE-2025-29660?
To fix CVE-2025-29660, update the Yi IOT XY-3820 device to the latest firmware that addresses this vulnerability.
What are the potential impacts of CVE-2025-29660?
The potential impacts of CVE-2025-29660 include unauthorized access to the device and execution of malicious scripts.
Which device is affected by CVE-2025-29660?
The affected device for CVE-2025-29660 is the Yi IOT XY-3820 running firmware version v6.0.24.10.
How does CVE-2025-29660 exploit the Yi IOT XY-3820?
CVE-2025-29660 exploits the Yi IOT XY-3820 by leveraging a poorly secured TCP service on port 6789 to execute arbitrary scripts.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/source
- agent/severity
- agent/tags
- agent/event
- vendor/yi
- canonical/yi iot xy-3820