Description
In Slican telephone exchanges it is possible to manage the control panel remotely. An unauthenticated attacker can connect to the modem via a telephone with a specific caller ID. This allows them to bypass admin authentication and gain full access to the service protocol and configuration panel. This vulnerability is independent of the telephone exchanges configuration. If remote access is disabled, calling with this caller ID will temporarily enable it.

This issue was fixed in versions below:
- IPL-256: version 6.61.0040
- IPM-032: version 6.61.0040
- CCT-1668: version 6.56.0430
- MAC-6400: version 6.56.0430
- CXS-0424: version 6.30.0510

The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below:
- CCT-1668 (CCT1CPU)
- MAC-6400
- CXS-0424
These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading.
Published: 2026-05-27
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Slican telephone exchanges allow an unauthenticated attacker to connect to the modem through a telephone call that uses a specific caller ID. By doing so, the attacker bypasses the admin authentication mechanism and obtains full control over the service protocol and configuration panel. This flaw is independent of the device's current configuration and, if remote access is disabled, the special caller ID temporarily re‑enables it. The vulnerability is a classic access control bypass (CWE‑288), enabling an attacker to read, modify, and potentially disrupt the device's operations.

Affected Systems

The flaw affects several Slican products: the CCT‑1668, CXS‑0424, IPL‑256, IPM‑032, and MAC‑6400 series. Firmware versions prior to the fixed revisions are vulnerable. Fixed firmware versions are: IPL‑256 and IPM‑032 earlier than 6.61.0040, CCT‑1668 and MAC‑6400 earlier than 6.56.0430, and CXS‑0424 earlier than 6.30.0510. End‑of‑life devices running 4.xx and earlier—CCT‑1668 (CCT1CPU), MAC‑6400, and CXS‑0424—remain vulnerable and will not receive updates; a hardware upgrade is required to receive patched software.

Risk and Exploitability

With a CVSS score of 9.3 the flaw is considered critical. The EPSS score is not available, but the vulnerability can be leveraged over the public telephone network by an attacker who knows the special caller ID; no network connectivity or privileged credentials are required. The flaw is not listed in CISA’s KEV catalog, which suggests no known widespread exploitation yet. Nonetheless, because remote access is re‑enabled by the attack, any complicit user could potentially misconfigure the device or install malicious firmware, so immediate remediation is advised.

Generated by OpenCVE AI on May 27, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all affected devices to firmware versions that contain the fix (at least IPL‑256 6.61.0040 or newer, IPM‑032 6.61.0040 or newer, CCT‑1668 6.56.0430 or newer, MAC‑6400 6.56.0430 or newer, and CXS‑0424 6.30.0510 or newer).
  • For end‑of‑life devices that cannot be patched via firmware, contact Slican to obtain a hardware replacement or upgrade path; without a newer motherboard the vulnerability will remain.
  • As a temporary measure, disable remote access to the modem from the telephone network or block the offending caller ID via line filtering to prevent the bypass while a patch is available.

Generated by OpenCVE AI on May 27, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In Slican telephone exchanges it is possible to manage the control panel remotely. An unauthenticated attacker can connect to the modem via a telephone with a specific caller ID. This allows them to bypass admin authentication and gain full access to the service protocol and configuration panel. This vulnerability is independent of the telephone exchanges configuration. If remote access is disabled, calling with this caller ID will temporarily enable it. This issue was fixed in versions below: - IPL-256: version 6.61.0040 - IPM-032: version 6.61.0040 - CCT-1668: version 6.56.0430 - MAC-6400: version 6.56.0430 - CXS-0424: version 6.30.0510 The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below: - CCT-1668 (CCT1CPU) - MAC-6400 - CXS-0424 These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading.
Title Authentication Bypass in Slican telephone exchanges
Weaknesses CWE-288
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-27T15:29:08.709Z

Reserved: 2026-04-01T11:23:16.118Z

Link: CVE-2026-35090

cve-icon Vulnrichment

Updated: 2026-05-27T15:29:03.132Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T14:16:45.000

Modified: 2026-05-27T19:38:33.270

Link: CVE-2026-35090

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T15:45:37Z

Weaknesses