CVE-2026-35090
Deferred Deferred - Pending Action
Authentication Bypass in Slican Telephone Exchanges

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: CERT.PL

Description
In Slican telephone exchanges it is possible to manage the control panel remotely. An unauthenticated attacker can connect to the modem via a telephone with a specific caller ID. This allows them to bypass admin authentication and gain full access to the service protocol and configuration panel. This vulnerability is independent of the telephone exchanges configuration. If remote access is disabled, calling with this caller ID will temporarily enable it. This issue was fixed in versions below: - IPL-256: version 6.61.0040 - IPM-032: version 6.61.0040 - CCT-1668: version 6.56.0430 - MAC-6400: version 6.56.0430 - CXS-0424: version 6.30.0510 The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below: - CCT-1668 (CCT1CPU) - MAC-6400 - CXS-0424 These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35090
EUVD
EUVD-2026-32278
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
slican ipl-256 6.61.0040
slican ipm-032 6.61.0040
slican cct-1668 6.56.0430
slican mac-6400 6.56.0430
slican cxs-0424 6.30.0510
slican cct-1668 From 5.0 (exc)
slican mac-6400 From 5.0 (exc)
slican cxs-0424 From 5.0 (exc)
slican cct-1668 From 4.0 (inc) to 5.0 (exc)
slican mac-6400 From 4.0 (inc) to 5.0 (exc)
slican cxs-0424 From 4.0 (inc) to 5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Slican telephone exchanges, allowing an unauthenticated attacker to remotely manage the control panel by connecting to the modem via a telephone call with a specific caller ID.

By using this specific caller ID, the attacker can bypass the admin authentication and gain full access to the service protocol and configuration panel.

This bypass works regardless of the telephone exchange's configuration, and even if remote access is disabled, calling with the specific caller ID will temporarily enable it.

The vulnerability has been fixed in newer software versions, but still exists in End-Of-Life devices that are no longer supported and require hardware upgrades for updates.

Impact Analysis

An attacker exploiting this vulnerability can gain full administrative access to the telephone exchange's control panel without authentication.

This unauthorized access allows the attacker to modify configurations, potentially disrupt telephone services, intercept or manipulate communications, and compromise the integrity and availability of the system.

Since the vulnerability can temporarily enable remote access even if it is disabled, it increases the risk of remote exploitation.

Devices that are no longer supported and cannot be updated remain vulnerable, posing ongoing security risks.

Mitigation Strategies

To mitigate this vulnerability, ensure that your Slican telephone exchange software is updated to the fixed versions or later:

  • IPL-256: version 6.61.0040 or later
  • IPM-032: version 6.61.0040 or later
  • CCT-1668: version 6.56.0430 or later
  • MAC-6400: version 6.56.0430 or later
  • CXS-0424: version 6.30.0510 or later

For End-Of-Life devices running versions 4.xx and below, which will not receive updates, contact the vendor's service department to explore hardware upgrade options.

Detection Guidance

This vulnerability involves an unauthenticated attacker connecting to the modem of Slican telephone exchanges via a telephone call with a specific caller ID to bypass admin authentication. Detection would involve monitoring for unauthorized or suspicious incoming calls with unusual caller IDs that could trigger remote access enabling.

Since the vulnerability is exploited through telephone calls with specific caller IDs, network or system detection commands would focus on telephony logs or modem call logs rather than typical network commands.

No specific detection commands or tools are provided in the available context or resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35090. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart