Which versions of Yealink SIP-T46U are affected by CVE-2026-12220?

Yealink SIP-T46U IP phones contain a vulnerability in firmware upgrade functionality that enables attackers on the local network with basic system access to execute arbitrary code and take control of…

Is there a public PoC exploit available for CVE-2026-12220?

Yes, a public proof-of-concept exploit is available for CVE-2026-12220. Prioritise patching immediately. EPSS: 0.4%.

How to fix or mitigate CVE-2026-12220?

Within 24 hours: Inventory all Yealink SIP-T46U devices, identify firmware versions, and disable remote firmware upgrade functionality where operationally feasible; restrict network access to firmware update endpoints via firewall policy. Within 7 days: Move IP phone management interfaces to a dedicated, restricted VLAN with strict authentication controls; enable detailed audit logging on firmware upload endpoints; brief IT security on indicators of exploitation. Within 30 days: Escalate to Yealink for security patch timeline or end-of-life notice; evaluate migration strategy to alternative IP phone vendors; conduct full firmware inventory audit across all device models.

Yealink SIP-T46U CVE-2026-12220

Q: What is the CVSS score of CVE-2026-12220?

CVE-2026-12220 has a CVSS 4.0 base score of 7.3 (High). CVSS vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.4%.

EUVD-2026-36693 HIGH

Stack-based Buffer Overflow (CWE-121)

2026-06-15 VulDB

GHSA-xgmc-rwmg-ch77

Stack Overflow Buffer Overflow Sip T46U

7.3

CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY

7.3 HIGH

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

8.0 HIGH

Adjacent LAN access required (AV:A), low complexity, requires low-privilege web credentials on the phone (PR:L), no user interaction, and stack overflow in firmware-upgrade handler yields full C/I/A impact on the device.

3.1 AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

4.0 AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Jun 15, 2026 - 06:22 vuln.today

CVSS changed

Jun 15, 2026 - 06:22 NVD

8.6 (HIGH) 7.3 (HIGH)

DescriptionCVE.org

A vulnerability has been found in Yealink SIP-T46U 108.86.0.118. This affects the function mod_upgrade.SparePartsUpload of the file /api/upgrade/accupgradebychunk of the component Firmware Chunk Upload handler. Such manipulation of the argument uid leads to stack-based buffer overflow. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers with low-privilege credentials to corrupt memory via the uid parameter of the /api/upgrade/accupgradebychunk firmware chunk upload endpoint. Publicly available exploit code exists and the vendor did not respond to coordinated disclosure, raising the practical risk despite the adjacent-only attack vector. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Gain foothold on LAN segment

Delivery

Discover Yealink phone HTTP API

Exploit

Authenticate with low-privilege credentials

Install

Send POST to /api/upgrade/accupgradebychunk with oversized uid

Overflow stack buffer in SparePartsUpload

Execute

Hijack control flow on phone firmware

Impact

Pivot or eavesdrop on SIP traffic

Recon

Gain foothold on LAN segment

Delivery

Discover Yealink phone HTTP API

Exploit

Authenticate with low-privilege credentials

Install

Send POST to /api/upgrade/accupgradebychunk with oversized uid

Overflow stack buffer in SparePartsUpload

Execute

Hijack control flow on phone firmware

Impact

Pivot or eavesdrop on SIP traffic

Vulnerability AssessmentAI

Exploitation	Attacker must be on the same local/adjacent network segment as the target phone (CVSS AV:A - not reachable from the public internet by default) and must possess low-privileged credentials to the phone's web management interface (PR:L), so the firmware-upgrade API at /api/upgrade/accupgradebychunk can be invoked. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals are mixed but lean toward meaningful risk for VoIP-heavy enterprise environments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has gained a foothold on the corporate LAN - for example via a compromised workstation, rogue Wi-Fi client, or malicious insider - authenticates to a Yealink SIP-T46U phone's web API with low-privilege credentials (often default or weak on unmanaged deployments) and issues a crafted POST to /api/upgrade/accupgradebychunk with an oversized uid parameter. The publicly available exploit archive (T46U_mod_upgrade_SparePartsUpload_stack_overflow.zip) demonstrates the buffer overflow, enabling the attacker to crash the phone or potentially execute arbitrary code on the embedded firmware, turning the device into a pivot point for eavesdropping on SIP calls or further lateral movement.
Remediation	No vendor-released patch identified at time of analysis - Yealink did not respond to the reporter's disclosure attempts. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Yealink SIP-T46U devices, identify firmware versions, and disable remote firmware upgrade functionality where operationally feasible; restrict network access to firmware update endpoints via firewall policy. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-12218 HIGH This Week POC

7.3 Jun 15

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.87.50.1) allows adjacent-network attackers wi

CVE-2026-12221 HIGH This Week POC

7.3 Jun 15

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers w

CVE-2026-12222 HIGH This Week POC

7.3 Jun 15

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows authenticated adjacent-netwo

CVE-2026-12219 LOW Monitor POC

2.1 Jun 15

Command injection in Yealink SIP-T46U firmware 108.86.0.118 enables remote authenticated attackers to execute arbitrary

CVE-2026-12223 LOW Monitor POC

2.0 Jun 15

Command injection in the Yealink SIP-T46U IP phone firmware 108.86.0.118 enables authenticated, adjacent-network attacke

CVE-2026-12220 vulnerability details – vuln.today

Back

Yealink SIP-T46U CVE-2026-12220

Severity by source

CVSS VectorVendor: VulDB

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code