CVE-2026-12219
MediumCVSS 6.3Exploitation Probability (EPSS)
Elevated risk60th percentile — higher than 60% of all known CVEs
Summary
A command injection vulnerability has been found in Yealink SIP-T46U firmware version 108.86.0.118 in the mod_diagnose.CommandShellByType function of the /api/diagnosis/start file. The attack can be initiated remotely by manipulating the Time argument, and the exploit has been published.
Risk Assessment
A remote attacker can execute arbitrary system commands on the vulnerable device, potentially leading to full compromise of the phone and its use as an entry point into the internal network.
Recommendation
Immediately update the Yealink SIP-T46U firmware to version 108.87.0.23 or later, which fixes this vulnerability.
Original NVD description (English source)
A flaw has been found in Yealink SIP-T46U 108.86.0.118. The impacted element is the function mod_diagnose.CommandShellByType of the file /api/diagnosis/start of the component Web FastCGI Service. This manipulation of the argument Time causes command injection. The attack can be initiated remotely. The exploit has been published and may be used. Upgrading to version 108.87.0.23 is sufficient to resolve this issue. It is advisable to upgrade the affected component.

