PatchSiren cyber security CVE debrief
CVE-2026-35090 Slican CVE debrief
An unauthenticated authentication bypass vulnerability in Slican telephone exchanges allows remote attackers to gain full administrative access by connecting via modem with a specific caller ID. The vulnerability exists independently of remote access configuration settings and can temporarily enable remote access even when explicitly disabled. This affects multiple Slican telephone exchange models with CVSS 4.0 score of 9.3 (Critical).
- Vendor
- Slican
- Product
- CCT-1668
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations operating Slican telephone exchanges, particularly in critical infrastructure, healthcare, hospitality, and enterprise environments where legacy PBX systems remain in service. Security teams responsible for telecommunications infrastructure and physical security teams managing POTS line access should prioritize assessment.
Technical summary
The vulnerability stems from improper authentication in the remote management interface of Slican telephone exchanges. When an attacker connects via modem using a specific caller ID, the system grants full administrative access without requiring credentials. This bypass occurs at the service protocol level and affects the configuration panel. Notably, the vulnerability is configuration-independent—if remote access is administratively disabled, a call with the specific caller ID temporarily enables it, creating a persistent attack vector. The flaw is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel).
Defensive priority
critical
Recommended defensive actions
- Immediately inventory all Slican telephone exchange models (IPL-256, IPM-032, CCT-1668, MAC-6400, CXS-0424) and identify firmware versions
- Upgrade supported models to patched firmware: IPL-256 and IPM-032 to version 6.61.0040; CCT-1668 and MAC-6400 to version 6.56.0430; CXS-0424 to version 6.30.0510
- For end-of-life models CCT-1668 (CCT1CPU), MAC-6400, and CXS-0424 running firmware 4.xx or below, contact Slican service department to evaluate hardware upgrade options as no software patches will be released
- Implement network segmentation to isolate telephone exchange management interfaces from untrusted networks
- Monitor for unauthorized modem connections and anomalous caller ID patterns on POTS lines connected to affected exchanges
- Disable remote management access where operationally feasible until patching is complete
- Review access logs for indicators of compromise, particularly administrative configuration changes made via modem connections
Evidence notes
Vulnerability disclosed by CERT.pl ([email protected]) with CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. CWE-288 (Authentication Bypass Using an Alternate Path or Channel) identified. Fixed versions released for supported products; end-of-life hardware (discontinued 2011-2012) remains vulnerable and requires hardware upgrade.
Official resources
-
CVE-2026-35090 CVE record
CVE.org
-
CVE-2026-35090 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27