A critical remote code execution (RCE) vulnerability, designated as CVE-2025-29659, has been identified in the Yi IoT XY-3820 firmware version 6.0.24.10. The flaw resides in the cmd_listen function of the cmd binary, allowing unauthenticated attackers to execute arbitrary commands on affected devices. With a CVSS score of 9.8 (Critical), this vulnerability poses significant risks, including device takeover and network pivoting.
Vulnerability Overview
The vulnerability stems from improper authorization (CWE-285) in the cmd_listen function, which fails to validate user input before processing commands. According to the National Vulnerability Database (NVD)1, this flaw enables remote attackers to bypass authentication and execute system-level commands. The SecAlerts advisory2 confirms exploitability via a publicly available proof-of-concept (PoC) on GitHub, demonstrating how attackers can weaponize this vulnerability.
Historical context reveals this is not the first security issue affecting Yi IoT devices. In 2018, Cisco Talos disclosed similar RCE flaws (CVE-2018-3947, CVE-2018-3892)3 in Yi Home Cameras, suggesting a pattern of insecure firmware design. The current vulnerability affects the XY-3820 model, commonly used in industrial IoT deployments.
Technical Details
The cmd binary, which contains the vulnerable function, listens on port 6789/TCP by default. Attackers can send crafted TCP requests to this port to trigger command execution. Research indicates the vulnerability is trivially exploitable, requiring no prior authentication or user interaction.
A companion vulnerability (CVE-2025-29660) was also discovered in the same device, allowing directory traversal via TCP requests to port 6789. This secondary flaw could enable attackers to read sensitive files or deploy persistent backdoors.
Proof of Concept and Exploitation
The GitHub repository RCE-YiIOT4 provides a functional PoC demonstrating exploitation. The script sends a malicious payload to the cmd_listen function, achieving RCE through improper input sanitization. While we refrain from publishing exploit code, security teams can reference the PoC to validate detection rules.
Mitigation and Remediation
As of April 21, 2025, Yi Technology has not released an official patch. Recommended mitigation strategies include:
- Network segmentation to isolate affected devices
- Blocking inbound traffic to port 6789/TCP at perimeter firewalls
- Monitoring for unusual process activity (particularly
cmdbinary execution)
Organizations should monitor the vendor’s security advisories for firmware updates. The Cybersecurity and Infrastructure Security Agency (CISA) has not yet added this vulnerability to its Known Exploited Vulnerabilities Catalog5, but this status may change if active exploitation is observed.
Detection and Response
Security teams should deploy the following detection mechanisms:
| Indicator | Detection Method |
|---|---|
| Unusual connections to port 6789/TCP | Network IDS/IPS rules |
cmd binary execution with network input |
Endpoint detection and response (EDR) solutions |
Process tree anomalies from cmd |
SIEM correlation rules |
Historical data suggests Yi IoT devices are frequently targeted for botnet recruitment. Organizations should prioritize patching these devices to prevent potential DDoS attacks or lateral movement attempts.
Conclusion
CVE-2025-29659 represents a serious threat to organizations deploying Yi IoT XY-3820 devices. The combination of remote exploitability, lack of authentication requirements, and public PoC availability makes this vulnerability particularly dangerous. Security teams should implement immediate network controls while awaiting vendor patches, and consider replacing affected devices if long-term support cannot be guaranteed.
The recurrence of similar vulnerabilities in Yi IoT products raises concerns about the vendor’s secure development practices. Organizations relying on IoT devices should evaluate vendor security track records during procurement processes.
References
- “CVE-2025-29659 Detail,” National Vulnerability Database, 2025. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2025-29659
- “Yi IoT XY-3820 RCE Vulnerability,” SecAlerts, 2025. [Online]. Available: https://secalerts.co/vulnerability/CVE-2025-29659
- “Vulnerability Spotlight: Yi Technology Home Cameras,” Cisco Talos, 2018. [Online]. Available: https://blog.talosintelligence.com/vulnerability-spotlight-yi-technology/
- “RCE-YiIOT Proof of Concept,” GitHub, 2025. [Online]. Available: https://github.com/Yasha-ops/RCE-YiIOT
- “Known Exploited Vulnerabilities Catalog,” CISA, 2025. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
