CVE-2025-14577

Critical

Published: 24 February 2026

Published

24 February 2026

Modified

02 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Slican NCP/IPL/IPM/IPU devices are vulnerable to PHP Function Injection. An unauthenticated remote attacker is able to execute arbitrary PHP commands by sending specially crafted requests to /webcti/session_ajax.php endpoint. This issue was fixed in version 1.24.0190 (Slican NCP) and 6.61.0010 (Slican…

IPL/IPM/IPU).

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the PHP function injection vulnerability by requiring timely installation of vendor patches in Slican NCP version 1.24.0190 and IPL/IPM/IPU versions 6.61.0010.

SI-10 Information Input Validation good match

prevent

Prevents exploitation of the vulnerability by enforcing validation and sanitization of inputs to the /webcti/session_ajax.php endpoint to block specially crafted PHP function injection requests.

SC-7 Boundary Protection partial match

preventdetect

Limits remote network access to the vulnerable /webcti/session_ajax.php endpoint through boundary protections like firewalls or WAFs, reducing exposure to unauthenticated attackers.

Security SummaryAI

CVE-2025-14577 is a PHP Function Injection vulnerability (CWE-306) affecting Slican NCP/IPL/IPM/IPU devices. It allows an unauthenticated remote attacker to execute arbitrary PHP commands by sending specially crafted requests to the /webcti/session_ajax.php endpoint. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and potential for high impact on confidentiality, integrity, and availability.

An unauthenticated attacker with network access to the affected device can exploit this vulnerability remotely without privileges or user interaction. Successful exploitation enables arbitrary PHP code execution on the device, potentially leading to full remote code execution, data theft, system compromise, or further lateral movement within the network.

The vulnerability was addressed in Slican NCP version 1.24.0190 and Slican IPL/IPM/IPU versions 6.61.0010. Security practitioners should update to these patched versions immediately. Additional details are available in the advisory at https://cert.pl/posts/2026/02/CVE-2025-14577 and on the vendor site at https://www.slican.pl/oferta/centrale-telefoniczne/.

Details

CWE(s): CWE-306

Affected Products

slican

ncp firmware

≤ 1.24.0190

slican

ipl-256 firmware

≤ 6.61.0010

slican

ipm-032 firmware

≤ 6.61.0010

slican

ipu-14 firmware

≤ 6.61.0010

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote code execution via a public-facing web endpoint (/webcti/session_ajax.php), directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://cert.pl/posts/2026/02/CVE-2025-14577
Third Party Advisory · cvd@cert.pl
https://www.slican.pl/oferta/centrale-telefoniczne/
Product · cvd@cert.pl