Sip T46U
Monthly
Command injection in the Yealink SIP-T46U IP phone firmware 108.86.0.118 enables authenticated, adjacent-network attackers to execute arbitrary operating system commands by manipulating the `ip` or `port` arguments submitted to the `/api/inner/tftpuploadiperf` Web FastCGI endpoint. Publicly available exploit code exists, and Yealink did not respond to responsible disclosure, meaning no vendor-released patch has been identified at time of analysis. No KEV listing confirms active exploitation, but the combination of a public proof-of-concept, an absent vendor response, and a default-enabled attack surface on widely deployed enterprise VoIP phones elevates practical risk beyond the moderate CVSS 4.0 score of 5.1.
Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows authenticated adjacent-network attackers to corrupt memory via the BlueToothTest handler exposed by the Web FastCGI service. Supplying crafted btMac, pin, or reserved parameters to /api/inner/bttest triggers the overflow inside mod_webd.BlueToothTest, with publicly available exploit code exists demonstrating an off-by-one write. The flaw is reachable from the LAN rather than the public internet, but the vendor has not responded to disclosure and no patched firmware has been published.
Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers with low privileges to corrupt memory via crafted uid or start_offset parameters sent to the /api/upgrade/upgrade firmware chunk upload endpoint. Publicly available exploit code exists, and the vendor did not respond to coordinated disclosure, leaving deployed devices without an official patch. CVSS 4.0 rates this 8.6 (High) with proof-of-concept maturity (E:P).
Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers with low-privilege credentials to corrupt memory via the uid parameter of the /api/upgrade/accupgradebychunk firmware chunk upload endpoint. Publicly available exploit code exists and the vendor did not respond to coordinated disclosure, raising the practical risk despite the adjacent-only attack vector. No public exploit identified as actively exploited in the wild (not on CISA KEV).
Command injection in Yealink SIP-T46U firmware 108.86.0.118 enables remote authenticated attackers to execute arbitrary OS commands via the unsanitized `Time` argument passed to the `mod_diagnose.CommandShellByType` function at the `/api/diagnosis/start` diagnostic endpoint. The exploit leverages the Web FastCGI Service's failure to neutralize shell metacharacters before invoking underlying system commands, consistent with CWE-77. A public proof-of-concept exploit archive is confirmed available, no CISA KEV listing exists at time of analysis, and the vendor did not respond to disclosure - leaving the vulnerability unpatched.
Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.87.50.1) allows adjacent-network attackers with low-privileged access to corrupt memory via the port argument processed by the StartReportInformation function in the /api/inner/beforewifitest endpoint of the Web FastCGI Service. Publicly available exploit code exists, and the vendor was notified without response, leaving deployed devices unmitigated. No public exploit identified as active in-the-wild campaigns, but exploitation is feasible given the released PoC.
Command injection in the Yealink SIP-T46U IP phone firmware 108.86.0.118 enables authenticated, adjacent-network attackers to execute arbitrary operating system commands by manipulating the `ip` or `port` arguments submitted to the `/api/inner/tftpuploadiperf` Web FastCGI endpoint. Publicly available exploit code exists, and Yealink did not respond to responsible disclosure, meaning no vendor-released patch has been identified at time of analysis. No KEV listing confirms active exploitation, but the combination of a public proof-of-concept, an absent vendor response, and a default-enabled attack surface on widely deployed enterprise VoIP phones elevates practical risk beyond the moderate CVSS 4.0 score of 5.1.
Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows authenticated adjacent-network attackers to corrupt memory via the BlueToothTest handler exposed by the Web FastCGI service. Supplying crafted btMac, pin, or reserved parameters to /api/inner/bttest triggers the overflow inside mod_webd.BlueToothTest, with publicly available exploit code exists demonstrating an off-by-one write. The flaw is reachable from the LAN rather than the public internet, but the vendor has not responded to disclosure and no patched firmware has been published.
Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers with low privileges to corrupt memory via crafted uid or start_offset parameters sent to the /api/upgrade/upgrade firmware chunk upload endpoint. Publicly available exploit code exists, and the vendor did not respond to coordinated disclosure, leaving deployed devices without an official patch. CVSS 4.0 rates this 8.6 (High) with proof-of-concept maturity (E:P).
Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers with low-privilege credentials to corrupt memory via the uid parameter of the /api/upgrade/accupgradebychunk firmware chunk upload endpoint. Publicly available exploit code exists and the vendor did not respond to coordinated disclosure, raising the practical risk despite the adjacent-only attack vector. No public exploit identified as actively exploited in the wild (not on CISA KEV).
Command injection in Yealink SIP-T46U firmware 108.86.0.118 enables remote authenticated attackers to execute arbitrary OS commands via the unsanitized `Time` argument passed to the `mod_diagnose.CommandShellByType` function at the `/api/diagnosis/start` diagnostic endpoint. The exploit leverages the Web FastCGI Service's failure to neutralize shell metacharacters before invoking underlying system commands, consistent with CWE-77. A public proof-of-concept exploit archive is confirmed available, no CISA KEV listing exists at time of analysis, and the vendor did not respond to disclosure - leaving the vulnerability unpatched.
Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.87.50.1) allows adjacent-network attackers with low-privileged access to corrupt memory via the port argument processed by the StartReportInformation function in the /api/inner/beforewifitest endpoint of the Web FastCGI Service. Publicly available exploit code exists, and the vendor was notified without response, leaving deployed devices unmitigated. No public exploit identified as active in-the-wild campaigns, but exploitation is feasible given the released PoC.