CVE-2025-14577

UNKNOWN 0.0

PHP Function Injection in Slican NPC/IPL/IPM/IPU

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Slican NCP/IPL/IPM/IPU devices are vulnerable to PHP Function Injection. An unauthenticated remote attacker is able to execute arbitrary PHP commands by sending specially crafted requests to /webcti/session_ajax.php endpoint. This issue was fixed in version 1.24.0190 (Slican NCP) and 6.61.0010 (Slican IPL/IPM/IPU).

CWE	CWE-306
Vendor	slican
Product	ncp
Published	Feb 24, 2026
Last Updated	Feb 24, 2026

Stay Ahead of the Next One

Get instant alerts for slican ncp

Be the first to know when new unknown vulnerabilities affecting slican ncp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Slican / NCP

0 < 1.24.0190

Slican / IPL

0 < 6.61.0010

Slican / IPM

0 < 6.61.0010

Slican / IPU

0 < 6.61.0010

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cert.pl: https://cert.pl/posts/2026/02/CVE-2025-14577 slican.pl: https://www.slican.pl/oferta/centrale-telefoniczne/

Credits

Dariusz Gońda