CVE-2026-35090— Authentication Bypass in Slican telephone exchanges
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-35090
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Authentication Bypass in Slican telephone exchanges
Source: NVD (National Vulnerability Database)
Vulnerability Description
In Slican telephone exchanges it is possible to manage the control panel remotely. An unauthenticated attacker can connect to the modem via a telephone with a specific caller ID. This allows them to bypass admin authentication and gain full access to the service protocol and configuration panel. This vulnerability is independent of the telephone exchanges configuration. If remote access is disabled, calling with this caller ID will temporarily enable it. This issue was fixed in versions below: - IPL-256: version 6.61.0040 - IPM-032: version 6.61.0040 - CCT-1668: version 6.56.0430 - MAC-6400: version 6.56.0430 - CXS-0424: version 6.30.0510 The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below: - CCT-1668 (CCT1CPU) - MAC-6400 - CXS-0424 These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用候选路径或通道进行的认证绕过
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-35090
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-35090
请登录查看更多情报信息。
Security Blog Posts for CVE-2026-35090 (1)
- 🔗 Podatności w oprogramowaniu central telefonicznych Slican | CERT Polskathird-party-advisory
Same Patch Batch · Slican · 2026-05-27 · 3 CVEs total
| CVE-2026-35087 | Authentication Bypass in Slican telephone exchanges | |
| CVE-2026-35089 | Use of Weak Credentials in Slican telephone exchanges |
IV. Related Vulnerabilities
Same weakness: CWE-288
- CVE-2026-35087
Authentication Bypass in Slican telephone exchanges - CVE-2026-42749
WordPress Disable Comments for Any Post Types (Remove commen - CVE-2026-42760
WordPress Backup and Staging by WP Time Capsule plugin <= 1. - CVE-2026-42745
WordPress Smart Online Order for Clover plugin <= 1.6.0 - Br - CVE-2026-42735
WordPress KiviCare plugin <= 4.3.0 - Broken Authentication v
V. Comments for CVE-2026-35090
No comments yet