| CVE ID | CVE-2025-14577 |
| Publication date | 24 February 2026 |
| Vendor | Slican |
| Product | NCP, IPL, IPM, IPU |
| Vulnerable versions | All before 1.24.0190 (Slican NCP) and before 6.61.0010 (Slican IPL/IPM/IPU). |
| Vulnerability type (CWE) | Missing Authentication for Critical Function (CWE-306) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerability in Slican NCP/IPL/IPM/IPU devices and participated in coordination of its disclosure.
The vulnerability CVE-2025-14577: Slican NCP/IPL/IPM/IPU devices are vulnerable to PHP Function Injection. An unauthenticated remote attacker is able to execute arbitrary PHP commands by sending specially crafted requests to /webcti/session_ajax.php endpoint.
This issue was fixed in version 1.24.0190 (Slican NCP) and 6.61.0010 (Slican IPL/IPM/IPU).
Credits
We thank Dariusz Gońda for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.