CVE-2025-14577
PHP Function Injection in Slican Devices Enables Remote Code Execution
Publication date: 2026-02-24
Last updated on: 2026-03-02
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| slican | ncp_firmware | to 1.24.0190 (exc) |
| slican | ipl-256_firmware | to 6.61.0010 (exc) |
| slican | ipm-032_firmware | to 6.61.0010 (exc) |
| slican | ipu-14_firmware | to 6.61.0010 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14577 is a vulnerability affecting multiple Slican devices, including models NCP, IPL, IPM, and IPU. It allows an unauthenticated remote attacker to execute arbitrary PHP commands by sending specially crafted requests to the /webcti/session_ajax.php endpoint. This is due to a PHP Function Injection flaw, classified under CWE-306: Missing Authentication for Critical Function.
How can this vulnerability impact me? :
This vulnerability can have a severe impact as it allows an unauthenticated attacker to remotely execute arbitrary PHP commands on affected Slican devices. This could lead to full compromise of the device, unauthorized access to sensitive information, disruption of services, or further attacks within the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized or suspicious HTTP requests sent to the /webcti/session_ajax.php endpoint on Slican NCP/IPL/IPM/IPU devices.'}, {'type': 'paragraph', 'content': 'One way to detect potential exploitation attempts is to capture and analyze network traffic for specially crafted requests targeting this endpoint.'}, {'type': 'paragraph', 'content': "For example, you can use the following command with curl to test if the endpoint is vulnerable by sending a crafted request (replace <device_ip> with the target device's IP address):"}, {'type': 'list_item', 'content': "curl -v http://<device_ip>/webcti/session_ajax.php -d 'payload_here'"}, {'type': 'paragraph', 'content': 'Additionally, using network monitoring tools like tcpdump or Wireshark to filter HTTP requests to /webcti/session_ajax.php can help identify suspicious activity.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the affected Slican devices to the fixed versions: 1.24.0190 for Slican NCP and 6.61.0010 for Slican IPL/IPM/IPU.
Until the upgrade can be applied, restrict access to the /webcti/session_ajax.php endpoint by implementing network-level controls such as firewall rules to block unauthorized external access.
Also, monitor logs and network traffic for any suspicious requests targeting this endpoint to detect potential exploitation attempts.