Auth bypass in Slican Ipl

CVE-2025-14577

Slican NCP/IPL/IPM/IPU devices are vulnerable to PHP Function Injection. An unauthenticated remote attacker is able to execute arbitrary PHP commands by sending specially crafted requests to /webcti/session_ajax.php endpoint. This issue…

Vulnerability class: Broken Authentication

EPSS: 0.001 (32.0th percentile) — read the EPSS interpretation.

Affected products

Slican Ipl — versions 0
Slican Ipm — versions 0
Slican Ipu — versions 0
Slican Ncp — versions 0

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

cert.pl/posts/2026/02/CVE-2025-14577 (third-party-advisory)
www.slican.pl/oferta/centrale-telefoniczne/ (product)