Skip to main content

Slican PBX CVE-2026-35090

| EUVD-2026-32278 CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-27 cvd@cert.pl GHSA-4fcp-hv44-rggc
Authentication Bypass
9.3
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 27, 2026 - 19:46 EUVD
Analysis Generated
May 27, 2026 - 19:43 vuln.today
CVE Published
May 27, 2026 - 14:16 nvd
CRITICAL 9.3

DescriptionNVD

In Slican telephone exchanges it is possible to manage the control panel remotely. An unauthenticated attacker can connect to the modem via a telephone with a specific caller ID. This allows them to bypass admin authentication and gain full access to the service protocol and configuration panel. This vulnerability is independent of the telephone exchanges configuration. If remote access is disabled, calling with this caller ID will temporarily enable it.

This issue was fixed in versions below:

  • IPL-256: version 6.61.0040
  • IPM-032: version 6.61.0040
  • CCT-1668: version 6.56.0430
  • MAC-6400: version 6.56.0430
  • CXS-0424: version 6.30.0510

The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below:

  • CCT-1668 (CCT1CPU)
  • MAC-6400
  • CXS-0424

These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading.

AnalysisAI

Authentication bypass in Slican telephone exchanges (IPL-256, IPM-032, CCT-1668, MAC-6400, CXS-0424) lets an unauthenticated remote attacker who dials the device's management modem while presenting a specific caller ID bypass admin authentication and obtain full access to the service protocol and configuration panel. Because this 'magic' caller ID works regardless of how the exchange is configured - and even temporarily re-enables remote management when an administrator has disabled it - the flaw behaves like a hidden backdoor rather than a normal misconfiguration. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

24 hours: Inventory all Slican exchanges in production (IPL-256, IPM-032, CCT-1668, MAC-6400, CXS-0424 firmware 4.xx and below); assess management modem connectivity; disable remote management access if operationally feasible. 7 days: Complete affected hardware inventory; implement network segmentation with firewall rules restricting management interface access to authorized locations only; initiate replacement planning for permanently unpatched EOL units (CCT-1668, MAC-6400, CXS-0424). …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-35090 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy