CVE-2025-29660CRITICAL 9.8EPSS p64.8%

CVE-2025-29660CVE-2025-29660

Description

A vulnerability exists in the daemon process of the Yi IOT XY-3820 v6.0.24.10, which exposes a TCP service on port 6789. This service lacks proper input validation, allowing attackers to execute arbitrary scripts present on the device by sending specially crafted TCP requests using directory traversal techniques.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.22% probability of exploitation · percentile 64.8% · 2026-06-19T12:03:05Z
Published2025-04-21
Last modified2025-06-23

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/Yasha-ops/RCE-YiIOT
  2. https://github.com/Yasha-ops/vulnerability-research/tree/master/CVE-2025-29660

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-29659
CVE
CVE-2025-56113
CVE
CVE-2025-56099
CVE
CVE-2025-56098
CVE
CVE-2025-66738
CVE
CVE-2025-8693
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.