9.8критическая
CVE-2025-14577
Описание
Slican NCP/IPL/IPM/IPU devices are vulnerable to PHP Function Injection. An unauthenticated remote attacker is able to execute arbitrary PHP commands by sending specially crafted requests to /webcti/session_ajax.php endpoint.
This issue was fixed in version 1.24.0190 (Slican NCP) and 6.61.0010 (Slican IPL/IPM/IPU).
Затрагиваемое ПО
Slican Ncp firmwareSlican Ncp server cm300pSlican Ncp server cm300p.1bcSlican Ncp server cm400p.1bcSlican Ncp server cm600p.1bcSlican Ipl-256 firmwareSlican Ipl-256.3uSlican Ipl-256.wmSlican Ipm-032 firmwareSlican Ipm-032.2uSlican Ipm-032.wmSlican Ipu-14 firmwareSlican Ipu-14.103.wmSlican Ipu-14.105.1uSlican Ipu-14.105.wm
CVSS
| Балл | 9.8 — критическая |
| Вектор | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Источники
https://cert.pl/posts/2026/02/CVE-2025-14577https://www.slican.pl/oferta/centrale-telefoniczne/