CVE-2025-14577
Published: 24 February 2026
Summary
CVE-2025-14577 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Slican Ncp Firmware. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-14577 is a PHP Function Injection vulnerability (CWE-306) affecting Slican NCP/IPL/IPM/IPU devices. It allows an unauthenticated remote attacker to execute arbitrary PHP commands by sending specially crafted requests to the /webcti/session_ajax.php endpoint. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and potential for high impact on confidentiality, integrity, and availability.
An unauthenticated attacker with network access to the affected device can exploit this vulnerability remotely without privileges or user interaction. Successful exploitation enables arbitrary PHP code execution on the device, potentially leading to full remote code execution, data theft, system compromise, or further lateral movement within the network.
The vulnerability was addressed in Slican NCP version 1.24.0190 and Slican IPL/IPM/IPU versions 6.61.0010. Security practitioners should update to these patched versions immediately. Additional details are available in the advisory at https://cert.pl/posts/2026/02/CVE-2025-14577 and on the vendor site at https://www.slican.pl/oferta/centrale-telefoniczne/.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208088
- 🇵🇱 CERT-PL: cert.pl
Vulnerability details
Slican NCP/IPL/IPM/IPU devices are vulnerable to PHP Function Injection. An unauthenticated remote attacker is able to execute arbitrary PHP commands by sending specially crafted requests to /webcti/session_ajax.php endpoint. This issue was fixed in version 1.24.0190 (Slican NCP) and 6.61.0010 (Slican…
more
IPL/IPM/IPU).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote code execution via a public-facing web endpoint (/webcti/session_ajax.php), directly enabling exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the PHP function injection vulnerability by requiring timely installation of vendor patches in Slican NCP version 1.24.0190 and IPL/IPM/IPU versions 6.61.0010.
Prevents exploitation of the vulnerability by enforcing validation and sanitization of inputs to the /webcti/session_ajax.php endpoint to block specially crafted PHP function injection requests.
Limits remote network access to the vulnerable /webcti/session_ajax.php endpoint through boundary protections like firewalls or WAFs, reducing exposure to unauthenticated attackers.