Description
A vulnerability was identified in Yealink SIP-T46U 108.86.0.118. Affected by this vulnerability is the function mod_webd.TFTPUploadIperf of the file /api/inner/tftpuploadiperf of the component Web FastCGI Service. The manipulation of the argument ip/port leads to command injection. The attack needs to be initiated within the local network. The exploit is publicly available and might be used. Upgrading to version 108.87.0.23 addresses this issue. Upgrading the affected component is recommended. The vendor explains: "It has been fixed (...) for our technical support branch. However, please note that this specific support branch firmware is not publicly released yet."
Published: 2026-06-15
Score: 5.1 Medium
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker who can access the Yealink SIP‑T46U from within its local network can manipulate the ip/port argument sent to the mod_webd.TFTPUploadIperf endpoint exposed by the Web FastCGI Service. This manipulation causes the device to assemble and execute an arbitrary shell command, allowing local code execution. Because the flaw is triggered only by internal traffic, the threat is limited to hosts that already have access to the network, but the availability of a public exploit means that compromised or malicious internal users could readily leverage the vulnerability. The issue is tied to improper input validation (CWE‑74) and inadequate command argument filtering (CWE‑77).

Affected Systems

Yealink SIP-T46U, firmware version 108.86.0.118. The vulnerability is specific to the Web FastCGI Service component and the TFTPUploadIperf API endpoint on this model.

Risk and Exploitability

The CVSS score of 5.1 reflects a moderate severity, yet the flaw is exploitable from within the local network and an exploit is publicly available. With an EPSS score of 2% and no KEV designation, the current data does not indicate a high probability of widespread exploitation, but the local nature of the attack vector means that compromised or malicious internal users can readily trigger it. The lack of a KEV listing suggests that mass exploitation is not yet observed.

Generated by OpenCVE AI on June 27, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the SIP‑T46U firmware to a version that removes the command injection vulnerability in the mod_webd.TFTPUploadIperf endpoint.
  • If an up‑to‑date firmware is not yet available, restrict access to the Web FastCGI Service by firewall rules or network segmentation so that only trusted hosts can reach the exposed API.
  • Monitored internal traffic for anomalous API calls containing unusual ip or port values, and audit logs for unauthorized command execution attempts.

Generated by OpenCVE AI on June 27, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Yealink SIP-T46U 108.86.0.118. Affected by this vulnerability is the function mod_webd.TFTPUploadIperf of the file /api/inner/tftpuploadiperf of the component Web FastCGI Service. The manipulation of the argument ip/port leads to command injection. The attack needs to be initiated within the local network. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. A vulnerability was identified in Yealink SIP-T46U 108.86.0.118. Affected by this vulnerability is the function mod_webd.TFTPUploadIperf of the file /api/inner/tftpuploadiperf of the component Web FastCGI Service. The manipulation of the argument ip/port leads to command injection. The attack needs to be initiated within the local network. The exploit is publicly available and might be used. Upgrading to version 108.87.0.23 addresses this issue. Upgrading the affected component is recommended. The vendor explains: "It has been fixed (...) for our technical support branch. However, please note that this specific support branch firmware is not publicly released yet."
Metrics cvssV2_0

{'score': 5.2, 'vector': 'AV:A/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.5, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV2_0

{'score': 5.2, 'vector': 'AV:A/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.5, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}


Mon, 15 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Yealink SIP-T46U 108.86.0.118. Affected by this vulnerability is the function mod_webd.TFTPUploadIperf of the file /api/inner/tftpuploadiperf of the component Web FastCGI Service. The manipulation of the argument ip/port leads to command injection. The attack needs to be initiated within the local network. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Yealink SIP-T46U Web FastCGI Service tftpuploadiperf mod_webd.TFTPUploadIperf command injection
First Time appeared Yealink
Yealink sip-t46u
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:a:yealink:sip-t46u:*:*:*:*:*:*:*:*
Vendors & Products Yealink
Yealink sip-t46u
References
Metrics cvssV2_0

{'score': 5.2, 'vector': 'AV:A/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.5, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Yealink Sip-t46u
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-27T05:45:43.675Z

Reserved: 2026-06-14T13:54:23.937Z

Link: CVE-2026-12223

cve-icon Vulnrichment

Updated: 2026-06-15T10:29:03.819Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T06:16:24.567

Modified: 2026-06-15T20:42:32.707

Link: CVE-2026-12223

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T07:30:13Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')