HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-12218Published Modified CNA VulDB

CVE-2026-12218: Yealink SIP-T46U Web FastCGI Service beforewifitest StartReportInformation stack-based overflow

A vulnerability was detected in Yealink SIP-T46U 108.87.50.1. The affected element is the function StartReportInformation of the file /api/inner/beforewifitest of the component Web FastCGI Service. The manipulation of the argument port results in stack-based buffer overflow. Access to the local network is required for this attack. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Metrics

CVSS v4.0
8.6
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A stack-based buffer overflow affects the Yealink SIP-T46U IP phone (firmware 108.87.50.1) in the Web FastCGI Service's StartReportInformation function, reachable via the /api/inner/beforewifitest endpoint. The vulnerability is triggered by manipulating the port argument over the local network, and requires a low-privilege account to exploit. Successful exploitation gives an attacker full read, write, and crash capability over the affected device. No fix has been published; HarborGuard tracks the advisory and will surface a patched rebuild the moment upstream releases one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds including VulDB within minutes of publication and matched against customer images, including custom-built firmware or application images that bundle the affected Yealink component. Any image fingerprinted as running Yealink SIP-T46U firmware 108.87.50.1 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 8.6 HIGH using the CVSS v4.0 vector and weights it against each customer environment's compliance policy to determine urgency and ownership routing. Triage findings are delivered to the inbox or ticketing integration configured for the relevant team within each customer org.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Yealink releases a remediated firmware version. In the interim, the advisory status and exposure surface remain visible in the HarborGuard dashboard for each affected environment.

Pending upstream

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be present on the same local network, LAN segment, or VPN as the target device; remote internet-based access is not sufficient.

  • AuthenticationRequired

    A low-privilege account on the device's Web FastCGI Service is required; unauthenticated access to the vulnerable endpoint is not sufficient.

  • Victim interactionNot required

    No user interaction is needed; the attacker sends a crafted request directly to the vulnerable endpoint without any action from a logged-in user.

  • Attack complexityDetail

    Exploitation is reliable and condition-free, with no race conditions or special environmental state required beyond network adjacency and a valid low-privilege credential.

Blast Radius

  • An attacker can read all data accessible to the FastCGI service process, including stored credentials, SIP account details, and configuration secrets on the phone.
  • An attacker can overwrite memory and persistent configuration, allowing modification of call routing, SIP registrar settings, or admin credentials.
  • An attacker can crash the Web FastCGI Service, taking the phone's management interface and potentially its call functionality offline.
  • A public proof-of-concept exploit is already circulating, lowering the bar for any attacker with LAN access to weaponize this overflow.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of this advisory across every customer environment scanning images that include Yealink SIP-T46U firmware 108.87.50.1. Because no patch exists, HarborGuard recommends the following compensating controls where operationally feasible: apply network policy to isolate SIP phone management interfaces to a dedicated VLAN or segment with strict ingress rules; block access to the /api/inner/beforewifitest endpoint at the network perimeter or via an internal API gateway; and audit which accounts hold credentials to the Web FastCGI Service, revoking any that are not operationally necessary. HarborGuard re-checks the Yealink advisory on every feed ingest cycle. For customers with auto-remediation enabled, a rebuilt image and a PR opened against affected workloads will be generated automatically the moment Yealink publishes a remediated firmware version, with no manual tracking required.

See how HarborGuard automates this
Affected packages
  • Yealink / SIP-T46U
    108.87.50.1
CVSS Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
References