CVE-2026-35089
Deferred Deferred - Pending Action
Predictable Key Generation in Slican Telephone Exchanges

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: CERT.PL

Description
In Slican telephone exchanges secure key is generated in a predictable manner using properties of the telephone exchange which can be obtained without authentication. An unauthenticated attacker can deduce the secure key and obtain admin credentials. This issue was fixed in versions below: - IPx series: version 6.61.0040 - CCT-1668: version 6.56.0430 - MAC-6400: version 6.56.0430 - CXS-0424: version 6.30.0510 The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below: - CCT-1668 (CCT1CPU) - MAC-6400 - CXS-0424 These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35089
EUVD
EUVD-2026-32277
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
slican ipx_series 6.61.0040
slican cct-1668 6.56.0430
slican mac-6400 6.56.0430
slican cxs-0424 6.30.0510
slican cct-1668 to 5.0 (exc)
slican mac-6400 to 5.0 (exc)
slican cxs-0424 to 5.0 (exc)
slican cct-1668 From 4.0 (exc)
slican mac-6400 From 4.0 (exc)
slican cxs-0424 From 4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1391 The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Slican telephone exchanges where the secure key is generated in a predictable way using properties of the telephone exchange that can be obtained without authentication.

An unauthenticated attacker can deduce this secure key and thereby obtain administrative credentials, allowing unauthorized access to the system.

The issue affects multiple models and versions, particularly older and end-of-life devices that will not receive updates.

Impact Analysis

An attacker exploiting this vulnerability can gain administrative access to the affected telephone exchange without authentication.

This unauthorized access could allow the attacker to control the telephone exchange, potentially leading to interception or manipulation of communications, disruption of services, or further compromise of the network.

Mitigation Strategies

To mitigate this vulnerability, ensure that your Slican telephone exchange software is updated to the fixed versions or later:

  • IPx series: version 6.61.0040 or later
  • CCT-1668: version 6.56.0430 or later
  • MAC-6400: version 6.56.0430 or later
  • CXS-0424: version 6.30.0510 or later

For End-Of-Life devices running versions 4.xx and below (CCT-1668, MAC-6400, CXS-0424), which are no longer supported and cannot receive software updates without hardware upgrades, contact the vendor's service department to explore hardware upgrade options.

Compliance Impact

The vulnerability allows an unauthenticated attacker to deduce the secure key and obtain admin credentials on Slican telephone exchanges. This unauthorized access could lead to compromise of sensitive data or system controls.

Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive information and secure access controls.

However, the provided information does not explicitly mention the impact on compliance with these standards or regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35089. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart