PatchSiren cyber security CVE debrief
CVE-2026-12223 Yealink CVE debrief
A vulnerability was identified in Yealink SIP-T46U 108.86.0.118. The function mod_webd.TFTPUploadIperf of the file /api/inner/tftpuploadiperf of the component Web FastCGI Service is affected. The manipulation of the argument ip/port leads to command injection. The attack needs to be initiated within the local network. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
- Vendor
- Yealink
- Product
- SIP-T46U
- CVSS
- LOW 2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators and users of Yealink SIP-T46U 108.86.0.118 within local networks should be aware of this vulnerability and take necessary precautions.
Technical summary
The vulnerability has a CVSS score of 2 and is classified as LOW severity. It is related to CWE-74 and CWE-77. The CVSS vector is CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
Low
Recommended defensive actions
- Update to a patched version if available.
- Restrict access to the Web FastCGI Service.
- Monitor for suspicious activity within the local network.
Evidence notes
The vendor was contacted but did not respond. The exploit is publicly available.
Official resources
CVE-2026-12223 was published and modified on 2026-06-15T06:16:24.567Z.