Skip to main content

Slican PBX CVE-2026-35090

| EUVDEUVD-2026-32278 CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-27 cvd@cert.pl GHSA-4fcp-hv44-rggc
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 27, 2026 - 19:46 EUVD
Analysis Generated
May 27, 2026 - 19:43 vuln.today
CVE Published
May 27, 2026 - 14:16 nvd
CRITICAL 9.3

DescriptionCVE.org

In Slican telephone exchanges it is possible to manage the control panel remotely. An unauthenticated attacker can connect to the modem via a telephone with a specific caller ID. This allows them to bypass admin authentication and gain full access to the service protocol and configuration panel. This vulnerability is independent of the telephone exchanges configuration. If remote access is disabled, calling with this caller ID will temporarily enable it.

This issue was fixed in versions below:

  • IPL-256: version 6.61.0040
  • IPM-032: version 6.61.0040
  • CCT-1668: version 6.56.0430
  • MAC-6400: version 6.56.0430
  • CXS-0424: version 6.30.0510

The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below:

  • CCT-1668 (CCT1CPU)
  • MAC-6400
  • CXS-0424

These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading.

AnalysisAI

Authentication bypass in Slican telephone exchanges (IPL-256, IPM-032, CCT-1668, MAC-6400, CXS-0424) lets an unauthenticated remote attacker who dials the device's management modem while presenting a specific caller ID bypass admin authentication and obtain full access to the service protocol and configuration panel. Because this 'magic' caller ID works regardless of how the exchange is configured - and even temporarily re-enables remote management when an administrator has disabled it - the flaw behaves like a hidden backdoor rather than a normal misconfiguration. CVSS 4.0 rates it 9.3 (critical); no public exploit has been identified at time of analysis, and the issue remains permanently unpatched on End-of-Life CCT-1668, MAC-6400, and CXS-0424 units running firmware 4.xx and below.

Technical ContextAI

Slican manufactures PBX/telephone exchange systems whose control panel and service protocol can be administered remotely over a built-in modem (dial-in management). The root cause maps to CWE-288 (Authentication Bypass Using an Alternate Path or Channel): instead of validating administrator credentials, the device grants privileged access based on the calling party's caller ID (CLI/ANI). Presenting one specific caller ID is treated as implicit authorization to the management channel, so the normal admin authentication path is short-circuited entirely. Caller ID is an attacker-supplied, easily spoofable signaling field on both PSTN and VoIP networks, which makes a CLI-based trust decision an inherently weak authentication mechanism. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) with high confidentiality, integrity, and availability impact reflects that anyone able to reach the device's modem and present the trusted caller ID gains full administrative control of the exchange.

RemediationAI

Vendor-released patches are available - upgrade IPL-256 and IPM-032 to 6.61.0040, CCT-1668 and MAC-6400 to 6.56.0430, and CXS-0424 to 6.30.0510 or later. For the End-of-Life CCT-1668 (CCT1CPU), MAC-6400, and CXS-0424 units on 4.xx firmware, no software-only fix exists; these require a hardware update, and the vendor recommends contacting Slican's service department directly to determine upgrade options. Because the bypass works regardless of configuration and can re-enable remote management on its own, do not rely on disabling remote access as a mitigation. As compensating controls on unpatchable devices, restrict who can dial the management modem - for example, physically disconnect or disable the modem/dial-in line where remote administration is not needed (trade-off: loss of legitimate remote management), apply PSTN/VoIP-side call filtering or allow-listing on the line serving the modem (trade-off: caller ID can be spoofed, so filtering alone is not fully reliable), and isolate the exchange's telephony management line behind controlled trunks. See the advisory at https://cert.pl/posts/2026/05/CVE-2026-35087 for vendor guidance.

Share

CVE-2026-35090 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy