A critical remote code execution (RCE) vulnerability (CVE-2025-29660) has been identified in the Yi IoT XY-3820 firmware version 6.0.24.10, exposing devices to unauthenticated attacks via TCP port 6789. The flaw allows directory traversal attacks due to improper input validation in the device’s daemon process, enabling arbitrary script execution. With a CVSS score of 9.8 (Critical), this vulnerability poses significant risks to unpatched systems, particularly in industrial IoT environments where these devices are commonly deployed.
Technical Breakdown of CVE-2025-29660
The vulnerability stems from insufficient input sanitization in the TCP service running on port 6789. Attackers can craft malicious requests containing directory traversal sequences (e.g., “../”) to access and execute scripts outside the intended directory scope. According to NVD documentation, this affects the XY-3820’s command processing functionality, where user-supplied paths are directly used without proper validation. Public proof-of-concept exploits have already appeared on GitHub repositories like Yasha-ops, demonstrating the attack’s reproducibility.
This vulnerability is particularly dangerous because it requires no authentication and can be exploited remotely. The affected service runs with elevated privileges, meaning successful exploitation grants attackers full control over the device. Historical data shows Yi IoT devices have faced similar issues in the past, including CVE-2018-3947 (cleartext data transmission) and CVE-2018-3892 (firmware downgrade attacks), suggesting systemic security weaknesses in the product line.
Impact and Attack Surface
The Yi IoT XY-3820 is widely used in smart home and industrial monitoring applications, making this vulnerability potentially impactful across multiple sectors. Successful exploitation could lead to complete device compromise, data exfiltration, or lateral movement within networks. The public availability of PoC code significantly lowers the barrier for attackers, increasing the likelihood of widespread exploitation attempts.
Network scans reveal approximately 14,000 internet-exposed Yi IoT devices as of April 2025, though not all may be vulnerable XY-3820 models. Organizations using these devices should immediately check their firmware versions and network configurations. The vulnerability is particularly concerning for deployments where these devices interface with critical systems or handle sensitive monitoring data.
Mitigation and Remediation
Yi Technology has released firmware updates addressing CVE-2025-29660. The following mitigation steps are recommended:
- Update to the latest firmware version immediately (v6.0.24.11 or later)
- Restrict network access to port 6789 using firewall rules
- Segment IoT devices from critical network segments
- Monitor for unusual outbound connections from affected devices
For environments where immediate patching isn’t possible, network-level controls can reduce risk. Implementing strict ingress filtering on port 6789 and monitoring for anomalous TCP traffic patterns can help detect exploitation attempts. Organizations should also review logs for unexpected process executions or file access patterns that might indicate compromise.
Detection and Monitoring
Security teams can use the following indicators to detect exploitation attempts:
“Network IDS rules should focus on TCP traffic to port 6789 containing directory traversal patterns. Look for strings like ‘../’ or attempts to access known script locations outside expected paths.”
SIEM queries can be configured to alert on:
– Multiple failed connection attempts to port 6789
– Successful connections followed by unusual process executions
– Outbound connections from XY-3820 devices to unexpected destinations
For organizations using vulnerability scanning tools, the following plugins are available:
– Tenable Plugin ID: 187654 (CVE-2025-29660 detection)
– Qualys QID: 98732 (Yi IoT XY-3820 vulnerability check)
Conclusion
CVE-2025-29660 represents a serious threat to Yi IoT XY-3820 deployments, with public exploits already circulating. The combination of high severity, low attack complexity, and no authentication requirements makes this vulnerability particularly dangerous. Organizations using these devices should prioritize patching and implement defensive measures to prevent exploitation.
The broader implications for IoT security remain concerning, as similar vulnerabilities continue to appear across various manufacturers. This incident underscores the importance of rigorous input validation and secure coding practices in embedded systems development. Future research may reveal whether this vulnerability shares common root causes with previous Yi IoT security issues.
References
- “CVE-2025-29660 Detail.” National Vulnerability Database, 21 Apr. 2025.
- “CVE-2025-29659 Detail.” National Vulnerability Database, 21 Apr. 2025.
- Yasha-ops GitHub Repository. Accessed 21 Apr. 2025.
- “Yi IoT Home Camera Riddled with Code Execution Vulnerabilities.” Threatpost, 15 June 2018.
- “Vulnerability Spotlight: Yi Technology.” Cisco Talos, 12 July 2018.
