PatchSiren cyber security CVE debrief
CVE-2026-12222 Yealink CVE debrief
A vulnerability was determined in Yealink SIP-T46U 108.86.0.118. Affected is the function mod_webd.BlueToothTest of the file /api/inner/bttest of the component Web FastCGI Service. Executing a manipulation of the argument btMac/pin/reserved can lead to stack-based buffer overflow. The attack needs to be done within the local network. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
- Vendor
- Yealink
- Product
- SIP-T46U
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators and users of Yealink SIP-T46U 108.86.0.118 within local networks should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
The vulnerability, CVE-2026-12222, is a stack-based buffer overflow issue in the mod_webd.BlueToothTest function of the Yealink SIP-T46U 108.86.0.118 device. This function is part of the Web FastCGI Service and is located in the /api/inner/bttest file. The vulnerability can be exploited by manipulating the btMac, pin, and reserved arguments, allowing for a stack-based buffer overflow. This type of attack requires local network access.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates provided by the vendor as soon as they are available.
- Restrict access to the affected component to only necessary personnel.
- Monitor network traffic for suspicious activity related to the affected device.
- Consider implementing additional security measures such as network segmentation and intrusion detection systems.
Evidence notes
The CVSS score for this vulnerability is 7.3, indicating a high severity. The vulnerability is publicly disclosed and may be utilized by attackers.
Official resources
CVE-2026-12222 was published and modified on 2026-06-15T06:16:24.413Z.