CVE-2018-16221

Name: CVE-2018-16221
Creator: NVD / NIST
Published: 2019-05-29T18:29:00.85+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 1.50%

Last modified Jun 17, 2026

CVE-2018-16221 is a vulnerability of currently unknown severity. The diagnostics web interface in the Yeahlink Ultra-elegant IP Phone SIP-T41P (firmware 66.83.0.35) does not validate (escape) the path information (path traversal), which allows an authenticated remote attacker to get access to privileged information (e.g., /etc/passwd) via path traversal (relative path information in the file parameter of the corresponding POST request).. EPSS estimates a 1.50% chance of exploitation in the next 30 days.

Description

The diagnostics web interface in the Yeahlink Ultra-elegant IP Phone SIP-T41P (firmware 66.83.0.35) does not validate (escape) the path information (path traversal), which allows an authenticated remote attacker to get access to privileged information (e.g., /etc/passwd) via path traversal (relative path information in the file parameter of the corresponding POST request).

Metrics

EPSS Probability

1.50%

71.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-22

Affected Software

Vendor	Product	Versions
Yealink	Ultra-Elegant Ip Phone Sip-T41p Firmware	66.83.0.35

References

https://www.sit.fraunhofer.de/de/securitytestlab/Third Party Advisory
https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_Yealink_Ultra-elegantIPPhone_SIPT41P.pdf?_=1549375271Third Party Advisory
https://www.sit.fraunhofer.de/de/securitytestlab/Third Party Advisory
https://www.sit.fraunhofer.de/fileadmin/dokumente/CVE/Advisory_Yealink_Ultra-elegantIPPhone_SIPT41P.pdf?_=1549375271Third Party Advisory

Timeline

Published: May 29, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-16221?

How severe is CVE-2018-16221?

Severity scoring for CVE-2018-16221 is pending analysis. The EPSS model estimates a 1.50% probability of exploitation in the next 30 days.

How do I fix CVE-2018-16221?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-16221?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST