How is CVE-2026-12222 exploited?

Network reachability (info): The attacker must be on the same local network, LAN segment, or VPN as the target device; remote exploitation over the open internet is not possible without prior network access. Authentication (required): A low-privilege account on the Web FastCGI Service is sufficient; the endpoint does not require administrator credentials. Victim interaction (not-required): No user action or social engineering is needed; the attacker sends a crafted request directly to the vulnerable endpoint. Attack complexity (info): The exploit is reliable and condition-free once network and credential requirements are met; no race conditions or specific memory-layout dependencies are noted in the CVSS vector.

What is the impact of CVE-2026-12222?

Reads all data accessible to the FastCGI service process, including stored credentials, configuration, and session material on the phone. Overwrites memory and modifies persisted configuration or runtime state on the device. Crashes the Web FastCGI Service, rendering the phone's web management interface and associated API endpoints unavailable. A compromised device could serve as a foothold for further lateral movement within the local network segment it occupies.

Back to search

HIGHCVE-2026-12222Published 2026-06-15Modified 2026-06-15CNA VulDB

CVE-2026-12222: Yealink SIP-T46U Web FastCGI Service bttest mod_webd.BlueToothTest stack-based overflow

A vulnerability was determined in Yealink SIP-T46U 108.86.0.118. Affected is the function mod_webd.BlueToothTest of the file /api/inner/bttest of the component Web FastCGI Service. Executing a manipulation of the argument btMac/pin/reserved can lead to stack-based buffer overflow. The attack needs to be done within the local network. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A stack-based buffer overflow affects the Web FastCGI Service on the Yealink SIP-T46U IP phone (firmware 108.86.0.118). The vulnerable function, mod_webd.BlueToothTest, is reachable via the /api/inner/bttest endpoint over a local network and requires a low-privilege account to call. Successful exploitation gives an attacker full read, write, and crash capability over the affected device. No patch has been published; HarborGuard tracks this advisory for fix availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including VulDB, within minutes of publication and matched against customer images and pipeline artifacts, including custom-built images that bundle Yealink firmware or related components.

Available

Triage

HarborGuard scores this CVE at 8.6 HIGH using the published CVSS v4.0 vector and can apply per-environment compliance policy weighting to escalate or suppress alert priority; findings are routed to the team inbox configured for each customer organization.

Available

Patch

Because no fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will trigger automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityDetail
The attacker must be on the same local network, LAN segment, or VPN as the target device; remote exploitation over the open internet is not possible without prior network access.
AuthenticationRequired
A low-privilege account on the Web FastCGI Service is sufficient; the endpoint does not require administrator credentials.
Victim interactionNot required
No user action or social engineering is needed; the attacker sends a crafted request directly to the vulnerable endpoint.
Attack complexityDetail
The exploit is reliable and condition-free once network and credential requirements are met; no race conditions or specific memory-layout dependencies are noted in the CVSS vector.

Blast Radius

Reads all data accessible to the FastCGI service process, including stored credentials, configuration, and session material on the phone.
Overwrites memory and modifies persisted configuration or runtime state on the device.
Crashes the Web FastCGI Service, rendering the phone's web management interface and associated API endpoints unavailable.
A compromised device could serve as a foothold for further lateral movement within the local network segment it occupies.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-12222, HarborGuard continuously monitors the VulDB advisory and any linked vendor channels on every ingest cycle. The moment a fix version is published, a patched-image rebuild becomes available and, for customers who opt into auto-remediation, the pipeline automatically runs a regression test suite and opens a PR against affected workloads. While no patch is available, compensating controls worth considering include network-policy isolation to restrict LAN access to the SIP-T46U management interface, egress filtering to limit blast radius if the device is compromised, and review of which accounts hold credentials for the Web FastCGI Service. The public exploit disclosure noted in the advisory raises urgency; customers scanning images that incorporate this firmware version or its components should treat any match as high-priority in their compliance policy configuration.

See how HarborGuard automates this

Affected packages

Yealink / SIP-T46U
108.86.0.118

CVSS Vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

Metrics

Get notified