Skip to main content

Slican PBX CVE-2026-35087

| EUVDEUVD-2026-32276 CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-27 cvd@cert.pl GHSA-74x7-73gr-c646
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 27, 2026 - 19:46 EUVD
Analysis Generated
May 27, 2026 - 19:43 vuln.today
CVE Published
May 27, 2026 - 14:16 nvd
CRITICAL 9.3

DescriptionCVE.org

Slican telephone exchanges allow administrative protocol authentication bypass. An attacker can bypass the need to enter login credentials by executing the appropriate command.

This issue was fixed in versions below:

  • NCP: version 1.24.0250
  • IPx series: version 6.61.0040
  • CCT-1668: version 6.56.0430
  • MAC-6400: version 6.56.0430
  • CXS-0424: version 6.30.0510

The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below:

  • CCT-1668 (CCT1CPU)
  • MAC-6400
  • CXS-0424

These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading.

AnalysisAI

Authentication bypass in Slican telephone exchanges (NCP, IPx, CCT-1668, MAC-6400, and CXS-0424 PBX systems) lets a remote attacker skip credential entry on the administrative protocol simply by issuing a specific command, granting full administrative control of the exchange. The flaw was reported by CERT Polska (cert.pl), carries a CVSS 4.0 base score of 9.3, and has no public exploit identified at time of analysis; however, the high score reflects unauthenticated network-reachable access with full confidentiality, integrity, and availability impact. Fixed firmware is available for current models, but the issue remains permanently unpatched on End-Of-Life CCT-1668, MAC-6400, and CXS-0424 units running version 4.xx and below.

Technical ContextAI

Slican is a Polish manufacturer of IP/TDM private branch exchange (PBX) telephony systems used by businesses and institutions; the affected lines include the NCP and IPx series gateways/exchanges and the older CCT-1668, MAC-6400, and CXS-0424 chassis. The vulnerability lies in the device's administrative management protocol, which is intended to require operator login credentials before granting configuration access. The root cause is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel): the description indicates that issuing 'the appropriate command' allows an attacker to reach administrative functionality through a path that does not enforce the normal credential check, effectively providing an alternate, unauthenticated channel into the management interface.

RemediationAI

Vendor-released patches are available - upgrade NCP to 1.24.0250, IPx series to 6.61.0040, CCT-1668 to 6.56.0430, MAC-6400 to 6.56.0430, and CXS-0424 to 6.30.0510 (or later) as the primary fix. For the End-Of-Life CCT-1668 (CCT1CPU), MAC-6400, and CXS-0424 units on version 4.xx and below, no software-only fix exists; the vendor states these require a hardware update to receive updated software and recommends contacting the Slican service department directly to determine upgrade options. Until devices are patched or replaced, restrict reachability of the administrative management protocol by placing exchanges on an isolated management VLAN and blocking the admin protocol port at network boundaries and firewalls so it is not reachable from user or internet-facing segments - the trade-off is that legitimate remote administration must then traverse a VPN or jump host. Monitor the management interface for unexpected administrative sessions or commands as a detective control. Refer to the CERT Polska advisory at https://cert.pl/posts/2026/05/CVE-2026-35087 for authoritative details.

Share

CVE-2026-35087 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy