Cyber Resilience

CVE-2025-14577

Critical

Published: 24 February 2026

Published
24 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0039 30.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-14577 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Slican Ncp Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-14577 is a PHP Function Injection vulnerability (CWE-306) affecting Slican NCP/IPL/IPM/IPU devices. It allows an unauthenticated remote attacker to execute arbitrary PHP commands by sending specially crafted requests to the /webcti/session_ajax.php endpoint. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and potential for high impact on confidentiality, integrity, and availability.

An unauthenticated attacker with network access to the affected device can exploit this vulnerability remotely without privileges or user interaction. Successful exploitation enables arbitrary PHP code execution on the device, potentially leading to full remote code execution, data theft, system compromise, or further lateral movement within the network.

The vulnerability was addressed in Slican NCP version 1.24.0190 and Slican IPL/IPM/IPU versions 6.61.0010. Security practitioners should update to these patched versions immediately. Additional details are available in the advisory at https://cert.pl/posts/2026/02/CVE-2025-14577 and on the vendor site at https://www.slican.pl/oferta/centrale-telefoniczne/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Slican NCP/IPL/IPM/IPU devices are vulnerable to PHP Function Injection. An unauthenticated remote attacker is able to execute arbitrary PHP commands by sending specially crafted requests to /webcti/session_ajax.php endpoint. This issue was fixed in version 1.24.0190 (Slican NCP) and 6.61.0010 (Slican…

more

IPL/IPM/IPU).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows unauthenticated remote code execution via a public-facing web endpoint (/webcti/session_ajax.php), directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306
CVE-2025-26362Shared CWE-306
CVE-2026-48692Shared CWE-306
CVE-2022-50981Shared CWE-306
CVE-2025-58083Shared CWE-306
CVE-2025-21515Shared CWE-306

Affected Assets

slican
ncp firmware
≤ 1.24.0190
slican
ipl-256 firmware
≤ 6.61.0010
slican
ipm-032 firmware
≤ 6.61.0010
slican
ipu-14 firmware
≤ 6.61.0010

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the PHP function injection vulnerability by requiring timely installation of vendor patches in Slican NCP version 1.24.0190 and IPL/IPM/IPU versions 6.61.0010.

prevent

Prevents exploitation of the vulnerability by enforcing validation and sanitization of inputs to the /webcti/session_ajax.php endpoint to block specially crafted PHP function injection requests.

preventdetect

Limits remote network access to the vulnerable /webcti/session_ajax.php endpoint through boundary protections like firewalls or WAFs, reducing exposure to unauthenticated attackers.

References