CVE Catalog

CVE-2026-12219

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.05%

60th percentile — higher than 60% of all known CVEs

Summary

A command injection vulnerability has been found in Yealink SIP-T46U firmware version 108.86.0.118 in the mod_diagnose.CommandShellByType function of the /api/diagnosis/start file. The attack can be initiated remotely by manipulating the Time argument, and the exploit has been published.

Risk Assessment

A remote attacker can execute arbitrary system commands on the vulnerable device, potentially leading to full compromise of the phone and its use as an entry point into the internal network.

Recommendation

Immediately update the Yealink SIP-T46U firmware to version 108.87.0.23 or later, which fixes this vulnerability.

Original NVD description (English source)

A flaw has been found in Yealink SIP-T46U 108.86.0.118. The impacted element is the function mod_diagnose.CommandShellByType of the file /api/diagnosis/start of the component Web FastCGI Service. This manipulation of the argument Time causes command injection. The attack can be initiated remotely. The exploit has been published and may be used. Upgrading to version 108.87.0.23 is sufficient to resolve this issue. It is advisable to upgrade the affected component.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS