Description
A flaw has been found in Yealink SIP-T46U 108.86.0.118. The impacted element is the function mod_diagnose.CommandShellByType of the file /api/diagnosis/start of the component Web FastCGI Service. This manipulation of the argument Time causes command injection. The attack can be initiated remotely. The exploit has been published and may be used. Upgrading to version 108.87.0.23 is sufficient to resolve this issue. It is advisable to upgrade the affected component.
Published: 2026-06-15
Score: 5.3 Medium
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The updated description confirms that the flaw remains in the mod_diagnose.CommandShellByType function of the Yealink SIP‑T46U’s Web FastCGI Service. A crafted value for the Time parameter continues to be passed directly to the shell, enabling command injection. This allows an attacker to execute arbitrary commands with the privileges of the service, resulting in remote command execution affecting confidentiality, integrity and availability74 and CWE-77.

Affected Systems

The affected device is the Yealink SIP‑T46U running firmware version 108.86.0.118. The flaw is in the Web FastCGI Service component accessed through the /api/diagnosis/start endpoint.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score of 2% indicates a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, although an exploit has already been published. Attackers can trigger the injection remotely over the network without local access, making the attack vector network‑based. A firmware upgrade to version 108.87.0.23 removes the vulnerable function, so operators should apply the update to eliminate the risk, and may also consider network hardening or disabling the vulnerable endpoint as additional mitigations.

Generated by OpenCVE AI on June 27, 2026 at 08:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Yealink SIP‑T46U firmware to version 108.87.0.23, which removes the vulnerable mod_diagnose.CommandShellByType function.
  • Restrict or block external access to the /api/diagnosis/start endpoint using a firewall or access control list.
  • Deploy a web application firewall or reverse proxy to enforce strict numeric validation on the Time parameter, rejecting non‑numeric input.
  • Disable Service or the diagnosis endpoint if it is not required for operation.

Generated by OpenCVE AI on June 27, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Yealink SIP-T46U 108.86.0.118. The impacted element is the function mod_diagnose.CommandShellByType of the file /api/diagnosis/start of the component Web FastCGI Service. This manipulation of the argument Time causes command injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. A flaw has been found in Yealink SIP-T46U 108.86.0.118. The impacted element is the function mod_diagnose.CommandShellByType of the file /api/diagnosis/start of the component Web FastCGI Service. This manipulation of the argument Time causes command injection. The attack can be initiated remotely. The exploit has been published and may be used. Upgrading to version 108.87.0.23 is sufficient to resolve this issue. It is advisable to upgrade the affected component.
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}


Mon, 15 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Yealink SIP-T46U 108.86.0.118. The impacted element is the function mod_diagnose.CommandShellByType of the file /api/diagnosis/start of the component Web FastCGI Service. This manipulation of the argument Time causes command injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Yealink SIP-T46U Web FastCGI Service start mod_diagnose.CommandShellByType command injection
First Time appeared Yealink
Yealink sip-t46u
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:a:yealink:sip-t46u:*:*:*:*:*:*:*:*
Vendors & Products Yealink
Yealink sip-t46u
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Yealink Sip-t46u
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-27T05:44:59.077Z

Reserved: 2026-06-14T13:54:13.580Z

Link: CVE-2026-12219

cve-icon Vulnrichment

Updated: 2026-06-15T21:55:54.462Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T06:16:23.953

Modified: 2026-06-15T20:42:32.707

Link: CVE-2026-12219

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T08:30:07Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')