QwikSec

Security Database

CVE

CWE

Training

CVE-2025-14577

Published: Feb 24, 2026

Modified: Feb 24, 2026

PUBLISHED

Description

Slican NCP/IPL/IPM/IPU devices are vulnerable to PHP Function Injection. An unauthenticated remote attacker is able to execute arbitrary PHP commands by sending specially crafted requests to /webcti/session_ajax.php endpoint. This issue was fixed in version 1.24.0190 (Slican NCP) and 6.61.0010 (Slican IPL/IPM/IPU).

Vendor	Product	Versions
Slican	NCP	affected `0 - < 1.24.0190`
Slican	IPL	affected `0 - < 6.61.0010`
Slican	IPM	affected `0 - < 6.61.0010`
Slican	IPU	affected `0 - < 6.61.0010`

Weaknesses (CWE)

References

https://cert.pl/posts/2026/02/CVE-2025-14577

third-party-advisory

https://www.slican.pl/oferta/centrale-telefoniczne/

product

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.