Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
In Slican telephone exchanges secure key is generated in a predictable manner using properties of the telephone exchange which can be obtained without authentication. An unauthenticated attacker can deduce the secure key and obtain admin credentials.
This issue was fixed in versions below:
- IPx series: version 6.61.0040
- CCT-1668: version 6.56.0430
- MAC-6400: version 6.56.0430
- CXS-0424: version 6.30.0510
The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below:
- CCT-1668 (CCT1CPU)
- MAC-6400
- CXS-0424
These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading.
AnalysisAI
Predictable secure-key generation in Slican telephone exchanges (IPx, CCT-1668, MAC-6400, and CXS-0424 series) lets a remote unauthenticated attacker reconstruct the device's secure key from exchange properties that are readable without credentials, then derive administrator credentials. The flaw is network-reachable with low attack complexity and no authentication (CVSS 4.0 base 8.7), and while fixed firmware is available for supported lines, discontinued 4.xx and earlier units remain permanently exposed. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
Slican manufactures IP and TDM private branch exchange (PBX) systems used for business telephony; the affected lines are the IPx series and the legacy CCT-1668 (CCT1CPU), MAC-6400, and CXS-0424 platforms. The root cause maps to CWE-1391 (Use of Weak Credentials): rather than generating the 'secure key' from sufficient entropy, the exchange derives it deterministically from device properties that are queryable over the network without authentication. Because those inputs are observable, the key space collapses and the key - and the admin credentials protected by it - become computable. EUVD affected-version ranges (ipx <6.61.0040, CCT-1668 <6.56.0430, MAC-6400 <6.56.0430, CXS-0424 <6.30.0510) identify the exact firmware boundaries; no CPE strings were supplied in this dataset.
RemediationAI
Apply the vendor-released patches to the exact fixed firmware: IPx series 6.61.0040, CCT-1668 6.56.0430, MAC-6400 6.56.0430, and CXS-0424 6.30.0510, then rotate the administrator credentials since any previously exposed key allowed them to be derived. For the End-Of-Life CCT-1668, MAC-6400, and CXS-0424 units on 4.xx and below, no software fix is possible without a hardware upgrade, so contact Slican's service department about replacement or hardware-update options. Until patched, reduce exposure by restricting network reachability of the exchange's management and key-serving interfaces to a trusted management VLAN, blocking access from the internet and untrusted segments at the firewall, and monitoring for unexpected administrative logins - note these are containment measures only and do not eliminate the deterministic key derivation, so credential rotation alone is insufficient on an unpatched device because the key can simply be recomputed.
Same weakness CWE-1391 – Use of Weak Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32277
GHSA-pch2-h8hc-84fh