ctipilot.ch

Slican PBX PSTN modem interface hardcoded caller-ID admin auth bypass (temporarily re-enables remote management)

cve · CVE-2026-35090

Coverage timeline
1
first 2026-05-28 → last 2026-05-28
Briefs
1
1 distinct
Sources cited
2
2 hosts
Sections touched
1
trending_vulns
Co-occurring entities
2
see Related entities below

Story timeline

  1. 2026-05-28CTI Daily Brief — 2026-05-28
    trending_vulnsFirst coverage. CVSS 4.0: 9.3 (CRITICAL). Companion to CVE-2026-35087. Notable: bypasses 'remote access disabled' configuration.

Where this entity is cited

  • trending_vulns1

Source distribution

  • cert.pl1 (50%)
  • euvd.enisa.europa.eu1 (50%)

Related entities

External references

NVD · cve.org · CISA KEV

All cited sources (2)

Items in briefs about Slican PBX PSTN modem interface hardcoded caller-ID admin auth bypass (temporarily re-enables remote management) (1)

CVE-2026-35087 / CVE-2026-35089 / CVE-2026-35090 — Slican PBX telephony exchanges, triple pre-authentication admin bypass (CERT Polska)

From CTI Daily Brief — 2026-05-28 · published 2026-05-28 · view item permalink →

CERT Polska disclosed three vulnerabilities in Slican PBX firmware on 2026-05-27; Slican is a Polish manufacturer of PBX and IP-telephony equipment with broad deployment in Polish government, public administration and healthcare, and is also sold across Central and Eastern Europe (CERT Polska, 2026-05-27; ENISA EUVD-2026-32276, 2026-05-27). CVE-2026-35087 (CVSS 4.0: 9.3) — the administrative protocol accepts a specific command that bypasses credential checks, granting admin shell access. CVE-2026-35089 (CVSS 4.0: 8.7) — the secure key protecting the admin service is generated deterministically from system properties obtainable without authentication; an attacker can recompute the key and extract admin credentials. CVE-2026-35090 (CVSS 4.0: 9.3) — the remote management modem interface accepts a hardcoded caller-ID that bypasses admin authentication on the PSTN side; if remote access is disabled, the call temporarily re-enables it. All three are exploitable remotely without authentication. Affected/fixed pairs: IPx series (≥ 6.61.0040), CCT-1668 / MAC-6400 (≥ 6.56.0430), CXS-0424 (≥ 6.30.0510), NCP (≥ 1.24.0250). EOL hardware (versions ≤ 4.xx — CCT-1668 CCT1CPU, MAC-6400, CXS-0424 discontinued 2011/2012) will not receive patches; vendor recommends hardware replacement.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-48842 Roundcube Webmail (virtuser_query plugin) 8.1 n/a No No (PoC reported) 1.6.16 LTS / 1.7.1 Roundcube
CVE-2026-48843 Roundcube Webmail (SVG animate CSS sanitiser) High n/a No No 1.6.16 LTS / 1.7.1 Roundcube
CVE-2026-48844 Roundcube Webmail (LDAP autovalues) High n/a No No 1.6.16 LTS / 1.7.1 Roundcube
CVE-2026-48848 Roundcube Webmail (HTML sanitiser SVG bypass) High n/a No No 1.6.16 LTS / 1.7.1 Roundcube
CVE-2026-35087 Slican PBX (IPx, CCT-1668, MAC-6400, CXS-0424, NCP) 9.3 (4.0) n/a No No IPx 6.61.0040 / CCT-1668 + MAC-6400 6.56.0430 / CXS-0424 6.30.0510 / NCP 1.24.0250 CERT-PL
CVE-2026-35089 Slican PBX (admin-service key derivation) 8.7 (4.0) n/a No No Same as CVE-2026-35087 CERT-PL
CVE-2026-35090 Slican PBX (PSTN modem caller-ID bypass) 9.3 (4.0) n/a No No Same as CVE-2026-35087 CERT-PL
CVE-2026-48027 Nx Console (VS Code extension) — see § 5 n/a n/a Yes (added 2026-05-27) Yes (CISA KEV) Nx Console ≥ 18.100.0 Nx postmortem
CVE-2026-45321 TanStack Router (npm) — see § 5 n/a n/a Yes (added 2026-05-27) Yes (CISA KEV) See GHSA-g7cv-rxg3-hmpx GHSA
CVE-2026-8398 DAEMON Tools Lite — see § 5 n/a n/a Yes (added 2026-05-27) Yes (CISA KEV) DAEMON Tools Lite ≥ 12.6.0 Disc Soft
CVE-2026-27771 Gitea (< 1.26.2) — see § 7 n/a n/a No No (passive exposure) Gitea 1.26.2 NoScope