CVE 8.7 HIGH

Use of Weak Credentials in Slican telephone exchanges_CVE-2026-35089

May 27, 2026 invoker category_cve
8.7 / 10
HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

In Slican telephone exchanges secure key is generated in a predictable manner using properties of the telephone exchange which can be obtained without authentication. An unauthenticated attacker can deduce the secure key and obtain admin credentials.

This issue was fixed in versions below:
- IPx series: version 6.61.0040
- CCT-1668: version 6.56.0430
- MAC-6400: version 6.56.0430
- CXS-0424: version 6.30.0510

The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below:
- CCT-1668 (CCT1CPU)
- MAC-6400
- CXS-0424
These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading.

AI Analysis

Predictable secure key generation in Slican telephone exchanges allows unauthenticated attackers to obtain admin credentials

Basic Information

ID CVE-2026-35089
Source CERT-PL
Published May 27, 2026 at 12:42

Affected Product

Vendor Slican
Product IPx
Affected Versions Slican IPx 0
Slican CCT-1668 0
Slican MAC-6400 0
Slican CXS-0424 0

CWE Classification

CWE-1391

AI Assessment

AI Score 8.7 / 10
AI Severity High
Vendor Slican
Product Slican telephone exchanges (IPx, CCT-1668, MAC-6400, CXS-0424)
Version 4.xx and below, 6.61.0040 and below for IPx, 6.56.0430 and below for CCT-1668 and MAC-6400, 6.30.0510 and below for CXS-0424

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.