Skip to main content

Yealink SIP-T46U EUVD-2026-36691

| CVE-2026-12218 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-06-15 VulDB GHSA-4hcr-4qf7-mjh5
Stack Overflow Buffer Overflow Sip T46U
7.3
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
7.3 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.0 HIGH

Adjacent-network FastCGI endpoint (AV:A), low complexity reliable overflow (AC:L), requires authenticated low-priv web user (PR:L), no user interaction, and full code-execution impact on the phone (C/I/A:H).

3.1 AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 15, 2026 - 06:23 vuln.today
CVSS changed
Jun 15, 2026 - 06:22 NVD
8.6 (HIGH) 7.3 (HIGH)
CVSS changed
Jun 15, 2026 - 06:22 NVD
8.6 (HIGH) 7.3 (HIGH)

DescriptionCVE.org

A vulnerability was detected in Yealink SIP-T46U 108.87.50.1. The affected element is the function StartReportInformation of the file /api/inner/beforewifitest of the component Web FastCGI Service. The manipulation of the argument port results in stack-based buffer overflow. Access to the local network is required for this attack. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.87.50.1) allows adjacent-network attackers with low-privileged access to corrupt memory via the port argument processed by the StartReportInformation function in the /api/inner/beforewifitest endpoint of the Web FastCGI Service. Publicly available exploit code exists, and the vendor was notified without response, leaving deployed devices unmitigated. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain adjacent network access to voice VLAN
Delivery
Authenticate to phone web UI with low-privilege credentials
Exploit
Send crafted POST to /api/inner/beforewifitest with oversized port argument
Execution
Overflow stack buffer in StartReportInformation
Persist
Hijack FastCGI execution flow
Impact
Eavesdrop on SIP traffic and pivot into voice network
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must reach the phone's Web FastCGI Service on the adjacent (same-broadcast-domain or routable voice) network - internet exposure is not required and would not normally exist - and must hold low-privilege credentials to the phone's web interface (PR:L), which on Yealink deployments are frequently the default 'user'/'user' account or a shared site password. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 scores this 7.3 (High) with AV:A/AC:L/PR:L/UI:N and full VC:H/VI:H/VA:H impact on the vulnerable system, meaning an attacker who is already on the same adjacent network and holds low-level credentials can fully compromise the phone with low complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with guest Wi-Fi access or a compromised workstation on the same VLAN as the SIP-T46U phones authenticates to the phone's web UI with low-privilege credentials (often shared or default) and issues a crafted POST to /api/inner/beforewifitest with an oversized 'port' value. The StartReportInformation handler overflows its stack buffer, allowing the attacker to hijack execution and drop a listener on the phone, which can then be used to eavesdrop on SIP calls or pivot deeper into the voice network. …
Remediation No vendor-released patch identified at time of analysis - Yealink did not respond to the coordinated disclosure attempt reported by VulDB (https://vuldb.com/vuln/370861). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Conduct comprehensive inventory scan to identify all Yealink SIP-T46U phones with firmware 108.87.50.1; isolate these devices from external network access using network segmentation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-12220 HIGH POC
7.3 Jun 15

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers w
CVE-2026-12221 HIGH POC
7.3 Jun 15

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers w
CVE-2026-12222 HIGH POC
7.3 Jun 15

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows authenticated adjacent-netwo
CVE-2026-12219 LOW POC
2.1 Jun 15

Command injection in Yealink SIP-T46U firmware 108.86.0.118 enables remote authenticated attackers to execute arbitrary

CVE-2026-12223 LOW POC
2.0 Jun 15

Command injection in the Yealink SIP-T46U IP phone firmware 108.86.0.118 enables authenticated, adjacent-network attacke

Share

EUVD-2026-36691 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy