CVE ID: CVE-2025-14577 Publication Date: 24 lutego 2026 Affected Product Vendor: Slican Affected Product Name: NCP, IPL, IPM, IPU Affected Versions: All versions up to 1.24.0190 (Slican NCP) and up to 6.61.0010 (Slican IPL/IPM/IPU) Vulnerability Type (CWE): Missing Authentication for Critical Function (CWE-306) Source of Reporting: Reporting to CERT Polska Vulnerability Description: CERT Polska received a report about a vulnerability in Slican NCP/IPL/IPM/IPU devices and coordinated the information disclosure process. Vulnerability CVE-2025-14577: Slican NCP/IPL/IPM/IPU devices are vulnerable to PHP Function Injection. An unauthorized attacker may be able to execute arbitrary PHP commands by sending specially crafted requests to the endpoint /webcit/session_ajax.php. The problem was fixed in version 1.24.0190 (Slican NCP) and 6.61.0010 (Slican IPL/IPM/IPU). Acknowledgment: Thank you to Dariuszowi Gońdzie for reporting the vulnerability.