Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Slican telephone exchanges allow administrative protocol authentication bypass. An attacker can bypass the need to enter login credentials by executing the appropriate command.
This issue was fixed in versions below:
- NCP: version 1.24.0250
- IPx series: version 6.61.0040
- CCT-1668: version 6.56.0430
- MAC-6400: version 6.56.0430
- CXS-0424: version 6.30.0510
The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below:
- CCT-1668 (CCT1CPU)
- MAC-6400
- CXS-0424
These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading.
AnalysisAI
Authentication bypass in Slican telephone exchanges (NCP, IPx, CCT-1668, MAC-6400, and CXS-0424 PBX systems) lets a remote attacker skip credential entry on the administrative protocol simply by issuing a specific command, granting full administrative control of the exchange. The flaw was reported by CERT Polska (cert.pl), carries a CVSS 4.0 base score of 9.3, and has no public exploit identified at time of analysis; however, the high score reflects unauthenticated network-reachable access with full confidentiality, integrity, and availability impact. Fixed firmware is available for current models, but the issue remains permanently unpatched on End-Of-Life CCT-1668, MAC-6400, and CXS-0424 units running version 4.xx and below.
Technical ContextAI
Slican is a Polish manufacturer of IP/TDM private branch exchange (PBX) telephony systems used by businesses and institutions; the affected lines include the NCP and IPx series gateways/exchanges and the older CCT-1668, MAC-6400, and CXS-0424 chassis. The vulnerability lies in the device's administrative management protocol, which is intended to require operator login credentials before granting configuration access. The root cause is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel): the description indicates that issuing 'the appropriate command' allows an attacker to reach administrative functionality through a path that does not enforce the normal credential check, effectively providing an alternate, unauthenticated channel into the management interface.
RemediationAI
Vendor-released patches are available - upgrade NCP to 1.24.0250, IPx series to 6.61.0040, CCT-1668 to 6.56.0430, MAC-6400 to 6.56.0430, and CXS-0424 to 6.30.0510 (or later) as the primary fix. For the End-Of-Life CCT-1668 (CCT1CPU), MAC-6400, and CXS-0424 units on version 4.xx and below, no software-only fix exists; the vendor states these require a hardware update to receive updated software and recommends contacting the Slican service department directly to determine upgrade options. Until devices are patched or replaced, restrict reachability of the administrative management protocol by placing exchanges on an isolated management VLAN and blocking the admin protocol port at network boundaries and firewalls so it is not reachable from user or internet-facing segments - the trade-off is that legitimate remote administration must then traverse a VPN or jump host. Monitor the management interface for unexpected administrative sessions or commands as a detective control. Refer to the CERT Polska advisory at https://cert.pl/posts/2026/05/CVE-2026-35087 for authoritative details.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32276
GHSA-74x7-73gr-c646