CVE 9.3 CRITICAL

Authentication Bypass in Slican telephone exchanges_CVE-2026-35087

May 27, 2026 invoker category_cve
9.3 / 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Slican telephone exchanges allow administrative protocol authentication bypass. An attacker can bypass the need to enter login credentials by executing the appropriate command.


This issue was fixed in versions below:
- NCP: version 1.24.0250
- IPx series: version 6.61.0040
- CCT-1668: version 6.56.0430
- MAC-6400: version 6.56.0430
- CXS-0424: version 6.30.0510

The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below:
- CCT-1668 (CCT1CPU)
- MAC-6400
- CXS-0424
These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading.

AI Analysis

Authentication bypass vulnerability in Slican telephone exchanges, allowing attackers to bypass administrative protocol authentication.

Basic Information

ID CVE-2026-35087
Source CERT-PL
Published May 27, 2026 at 12:42
Modified May 27, 2026 at 12:51

Affected Product

Vendor Slican
Product IPx
Affected Versions Slican IPx 0
Slican CCT-1668 0
Slican MAC-6400 0
Slican CXS-0424 0
Slican NCP 0

CWE Classification

CWE-288

AI Assessment

AI Score 9.3 / 10
AI Severity Critical
Vendor Slican
Product Slican telephone exchanges (IPx, NCP, CCT-1668, MAC-6400, CXS-0424)
Version 4.xx and below, versions prior to 1.24.0250 (NCP), 6.61.0040 (IPx), 6.56.0430 (CCT-1668, MAC-6400), 6.30.0510 (CXS-0424)

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.