Full Report
CERT Polska has received a report about 3 vulnerabilities (CVE-2026-35087, CVE-2026-35089 and CVE-2026-35090) found in Slican telephone exchanges software.
Analysis Summary
# Vulnerability: Multiple Authentication Bypasses in Slican Telephone Exchanges
## CVE Details
- **CVE ID:** CVE-2026-35087, CVE-2026-35089, CVE-2026-35090
- **CVSS Score:** Not explicitly provided in the source (Estimate: Critical/High)
- **CWE:**
- CWE-288: Authentication Bypass Using an Alternate Path or Channel (CVE-2026-35087, CVE-2026-35090)
- CWE-1391: Use of Weak Credentials (CVE-2026-35089)
## Affected Systems
- **Products:** Slican IPx series (IPL-256, IPM-032), CCT-1668, MAC-6400, CXS-0424, and NCP.
- **Versions:**
- **IPx (IPL-256, IPM-032):** All versions before 6.61.0040
- **CCT-1668 / MAC-6400:** All versions before 6.56.0430
- **CXS-0424:** All versions before 6.30.0510
- **NCP:** All versions before 1.24.0250
- **Configurations:** Systems running End-of-Life (EOL) firmware (v4.xx and below) remain vulnerable as they cannot be patched without hardware upgrades.
## Vulnerability Description
Three distinct security flaws allow for unauthorized access to Slican telephone exchanges:
1. **CVE-2026-35087:** A flaw in the administrative protocol allows an attacker to skip the credential requirement by executing a specific command.
2. **CVE-2026-35089:** "Secure keys" used for credential retrieval are generated using predictable device properties. An unauthenticated attacker can harvest these properties to deduce the key and obtain administrative credentials.
3. **CVE-2026-35090:** A modem-based bypass where a remote attacker can call the control panel using a specific Caller ID. This triggers administrative access to the service protocol and configuration, even if remote access was previously disabled.
## Exploitation
- **Status:** Reported via CVD (Coordinated Vulnerability Disclosure). No public PoC mentioned, but technical mechanisms (specific command, predictable keys, specific Caller ID) are identified.
- **Complexity:** Low to Medium.
- **Attack Vector:** Network (for protocol bypass and key deduction) and Remote/Telephone (for Caller ID bypass).
## Impact
- **Confidentiality:** High (Full access to configuration and administrative credentials).
- **Integrity:** High (Ability to modify service protocols and exchange settings).
- **Availability:** High (Attacker can control or disable the telephone exchange).
## Remediation
### Patches
Update to the following versions or newer:
- **NCP:** 1.24.0250
- **IPx:** 6.61.0040
- **CCT-1668 / MAC-6400:** 6.56.0430
- **CXS-0424:** 6.30.0510
### Workarounds
- **EOL Devices:** For CCT-1668 (CCT1CPU), MAC-6400, and CXS-0424 running version 4.xx or lower, no software patch is available. Users must contact Slican service departments for hardware upgrade options to support secure firmware.
- **Network Isolation:** Ensure telephone exchange management interfaces are not exposed to the public internet.
## Detection
- **Indicators of Compromise:** Unusual configuration changes, administrative logins from unrecognized sources, or unexpected incoming calls to the modem control panel.
- **Detection Methods:** Monitor administrative protocol logs for commands executed without preceding authentication sequences.
## References
- CERT Polska Advisory: hXXps://cert[.]pl/en/posts/2026/05/vulnerabilities-in-slican/
- CVE Records:
- hXXps://www[.]cve[.]org/CVERecord?id=CVE-2026-35087
- hXXps://www[.]cve[.]org/CVERecord?id=CVE-2026-35089
- hXXps://www[.]cve[.]org/CVERecord?id=CVE-2026-35090