Impact
An attacker who can access the Yealink SIP‑T46U from within its local network can manipulate the ip/port argument sent to the mod_webd.TFTPUploadIperf endpoint exposed by the Web FastCGI Service. This manipulation causes the device to assemble and execute an arbitrary shell command, allowing local code execution. Because the flaw is triggered only by internal traffic, the threat is limited to hosts that already have access to the network, but the availability of a public exploit means that compromised or malicious internal users could readily leverage the vulnerability. The issue is tied to improper input validation (CWE‑74) and inadequate command argument filtering (CWE‑77).
Affected Systems
Yealink SIP-T46U, firmware version 108.86.0.118. The vulnerability is specific to the Web FastCGI Service component and the TFTPUploadIperf API endpoint on this model.
Risk and Exploitability
The CVSS score of 5.1 reflects a moderate severity, yet the flaw is exploitable from within the local network and an exploit is publicly available. With an EPSS score of 2% and no KEV designation, the current data does not indicate a high probability of widespread exploitation, but the local nature of the attack vector means that compromised or malicious internal users can readily trigger it. The lack of a KEV listing suggests that mass exploitation is not yet observed.
OpenCVE Enrichment