Slican NCP/IPL/IPM/IPU devices are vulnerable to PHP Function Injection. An unauthenticated remote attacker is able to execute arbitrary PHP commands by sending specially crafted requests to /webcti/session_ajax.php endpoint.
This issue was fixed in version 1.24.0190 (Slican NCP) and 6.61.0010 (Slican IPL/IPM/IPU).
| Źródło | Link | Uwagi |
|---|---|---|
| NVD (NIST) | https://nvd.nist.gov/vuln/detail/CVE-2025-14577 | Karta CVE w NVD |
| CISA KEV | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14577 | Wyszukiwanie CVE w KEV |
| FIRST EPSS | https://api.first.org/data/v1/epss?cve=CVE-2025-14577 | API EPSS dla CVE |
| cvd@cert.pl | https://cert.pl/posts/2026/02/CVE-2025-14577 | Third Party Advisory |
| cvd@cert.pl | https://www.slican.pl/oferta/centrale-telefoniczne/ | Product |