Impact
The updated description confirms that the flaw remains in the mod_diagnose.CommandShellByType function of the Yealink SIP‑T46U’s Web FastCGI Service. A crafted value for the Time parameter continues to be passed directly to the shell, enabling command injection. This allows an attacker to execute arbitrary commands with the privileges of the service, resulting in remote command execution affecting confidentiality, integrity and availability74 and CWE-77.
Affected Systems
The affected device is the Yealink SIP‑T46U running firmware version 108.86.0.118. The flaw is in the Web FastCGI Service component accessed through the /api/diagnosis/start endpoint.
Risk and Exploitability
The CVSS score of 5.3 indicates moderate severity. The EPSS score of 2% indicates a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, although an exploit has already been published. Attackers can trigger the injection remotely over the network without local access, making the attack vector network‑based. A firmware upgrade to version 108.87.0.23 removes the vulnerable function, so operators should apply the update to eliminate the risk, and may also consider network hardening or disabling the vulnerable endpoint as additional mitigations.
OpenCVE Enrichment