CVE-2013-5758

EXPLOITED

Yealink Sip-t38g - OS Command Injection

Title source: rule

Description

cgi-bin/cgiServer.exx in Yealink VoIP Phone SIP-T38G allows remote authenticated users to execute arbitrary commands by calling the system method in the body of a request, as demonstrated by running unauthorized services, changing directory permissions, and modifying files.

Exploits (2)

exploitdb WORKING POC

by Mr.Un1k0d3r · textremotehardware

https://www.exploit-db.com/exploits/33742

View Code ZIP pw:eip

exploitdb WORKING POC

by Mr.Un1k0d3r · textremotehardware

https://www.exploit-db.com/exploits/33741

View Code ZIP pw:eip

References (5)

[Exploit] http://packetstormsecurity.com/files/127093/Yealink-VoIP-Phone-SIP-T38G-Privilege-Escalation.html

[Exploit] http://packetstormsecurity.com/files/127096/Yealink-VoIP-Phone-SIP-T38G-Remote-Command-Execution.html

[Exploit] http://www.exploit-db.com/exploits/33741

[Exploit] http://www.exploit-db.com/exploits/33742

[Third Party Advisory, VDB Entry] http://www.osvdb.org/108080

Scores

EPSS 0.1174

EPSS Percentile 93.7%

Details

VulnCheck KEV 2019-06-13

CWE

CWE-78

Status published

Products (1)

yealink/sip-t38g

Published Aug 03, 2014

Tracked Since Feb 18, 2026