Skip to main content

Slican PBX CVE-2026-35089

| EUVDEUVD-2026-32277 HIGH
Use of Weak Credentials (CWE-1391)
2026-05-27 cvd@cert.pl GHSA-pch2-h8hc-84fh
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 27, 2026 - 19:57 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:16 nvd
HIGH 8.7

DescriptionCVE.org

In Slican telephone exchanges secure key is generated in a predictable manner using properties of the telephone exchange which can be obtained without authentication. An unauthenticated attacker can deduce the secure key and obtain admin credentials.

This issue was fixed in versions below:

  • IPx series: version 6.61.0040
  • CCT-1668: version 6.56.0430
  • MAC-6400: version 6.56.0430
  • CXS-0424: version 6.30.0510

The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below:

  • CCT-1668 (CCT1CPU)
  • MAC-6400
  • CXS-0424

These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading.

AnalysisAI

Predictable secure-key generation in Slican telephone exchanges (IPx, CCT-1668, MAC-6400, and CXS-0424 series) lets a remote unauthenticated attacker reconstruct the device's secure key from exchange properties that are readable without credentials, then derive administrator credentials. The flaw is network-reachable with low attack complexity and no authentication (CVSS 4.0 base 8.7), and while fixed firmware is available for supported lines, discontinued 4.xx and earlier units remain permanently exposed. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

Slican manufactures IP and TDM private branch exchange (PBX) systems used for business telephony; the affected lines are the IPx series and the legacy CCT-1668 (CCT1CPU), MAC-6400, and CXS-0424 platforms. The root cause maps to CWE-1391 (Use of Weak Credentials): rather than generating the 'secure key' from sufficient entropy, the exchange derives it deterministically from device properties that are queryable over the network without authentication. Because those inputs are observable, the key space collapses and the key - and the admin credentials protected by it - become computable. EUVD affected-version ranges (ipx <6.61.0040, CCT-1668 <6.56.0430, MAC-6400 <6.56.0430, CXS-0424 <6.30.0510) identify the exact firmware boundaries; no CPE strings were supplied in this dataset.

RemediationAI

Apply the vendor-released patches to the exact fixed firmware: IPx series 6.61.0040, CCT-1668 6.56.0430, MAC-6400 6.56.0430, and CXS-0424 6.30.0510, then rotate the administrator credentials since any previously exposed key allowed them to be derived. For the End-Of-Life CCT-1668, MAC-6400, and CXS-0424 units on 4.xx and below, no software fix is possible without a hardware upgrade, so contact Slican's service department about replacement or hardware-update options. Until patched, reduce exposure by restricting network reachability of the exchange's management and key-serving interfaces to a trusted management VLAN, blocking access from the internet and untrusted segments at the firewall, and monitoring for unexpected administrative logins - note these are containment measures only and do not eliminate the deterministic key derivation, so credential rotation alone is insufficient on an unpatched device because the key can simply be recomputed.

Share

CVE-2026-35089 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy