Description
A vulnerability was identified in Yealink SIP-T46U 108.86.0.118. Affected by this vulnerability is the function mod_webd.TFTPUploadIperf of the file /api/inner/tftpuploadiperf of the component Web FastCGI Service. The manipulation of the argument ip/port leads to command injection. The attack needs to be initiated within the local network. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-15
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can manipulate the ip/port parameter in the mod_webd.TFTPUploadIperf endpoint of Yealink’s Web FastCGI Service to inject and execute arbitrary shell commands on the device. This flaw enables the execution of malicious code when accessed over the internal network, compromising the confidentiality, integrity, and availability of the device and any network resources controlled by it. The weakness maps to CWE-74 and CWE-77, highlighting improper handling of user-supplied input and insufficient validation of command arguments.

Affected Systems

Yealink SIP-T46U, firmware version 108.86.0.118. The vulnerability is specific to the Web FastCGI Service component and the TFTPUploadIperf API endpoint on this model.

Risk and Exploitability

The CVSS score of 5.1 reflects a moderate severity, yet the flaw is exploitable from within the local network and an exploit is publicly available. With no EPSS value or KEV designation, the current data does not indicate a high probability of widespread exploitation, but the local nature of the attack vector means that compromised or malicious internal users can readily trigger it. The lack of a KEV listing suggests that mass exploitation is not yet observed.

Generated by OpenCVE AI on June 15, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the SIP‑T46U firmware to a version that removes the command injection vulnerability in the mod_webd.TFTPUploadIperf endpoint.
  • If an up‑to‑date firmware is not yet available, restrict access to the Web FastCGI Service by firewall rules or network segmentation so that only trusted hosts can reach the exposed API.
  • Monitored internal traffic for anomalous API calls containing unusual ip or port values, and audit logs for unauthorized command execution attempts.

Generated by OpenCVE AI on June 15, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Yealink SIP-T46U 108.86.0.118. Affected by this vulnerability is the function mod_webd.TFTPUploadIperf of the file /api/inner/tftpuploadiperf of the component Web FastCGI Service. The manipulation of the argument ip/port leads to command injection. The attack needs to be initiated within the local network. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Yealink SIP-T46U Web FastCGI Service tftpuploadiperf mod_webd.TFTPUploadIperf command injection
First Time appeared Yealink
Yealink sip-t46u
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:a:yealink:sip-t46u:*:*:*:*:*:*:*:*
Vendors & Products Yealink
Yealink sip-t46u
References
Metrics cvssV2_0

{'score': 5.2, 'vector': 'AV:A/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.5, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yealink Sip-t46u
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-15T05:30:11.341Z

Reserved: 2026-06-14T13:54:23.937Z

Link: CVE-2026-12223

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-15T06:16:24.567

Modified: 2026-06-15T06:16:24.567

Link: CVE-2026-12223

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T07:30:31Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')