CVE-2025-14577
📋 TL;DR
Slican NCP/IPL/IPM/IPU devices contain a PHP function injection vulnerability in the /webcti/session_ajax.php endpoint. Unauthenticated remote attackers can execute arbitrary PHP commands, potentially leading to complete system compromise. This affects all unpatched Slican NCP, IPL, IPM, and IPU devices.
💻 Affected Systems
- Slican NCP
- Slican IPL
- Slican IPM
- Slican IPU
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover, data exfiltration, ransomware deployment, and use as pivot point for network attacks
Likely Case
Remote code execution leading to device compromise, credential theft, and lateral movement
If Mitigated
Limited impact if device is isolated, patched, or has network controls blocking external access
🎯 Exploit Status
The vulnerability requires sending specially crafted HTTP requests to a specific endpoint. No authentication is required, making exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.24.0190 for NCP, 6.61.0010 for IPL/IPM/IPU
Vendor Advisory: https://www.slican.pl/oferta/centrale-telefoniczne/
Restart Required: Yes
Instructions:
1. Download latest firmware from Slican vendor portal. 2. Backup current configuration. 3. Upload and apply firmware update. 4. Reboot device. 5. Verify version matches patched release.
🔧 Temporary Workarounds
Network Access Control
allBlock external access to affected devices and restrict internal access to authorized networks only
Web Application Firewall
allDeploy WAF rules to block requests to /webcti/session_ajax.php containing PHP function injection patterns
🧯 If You Can't Patch
- Isolate affected devices in separate VLAN with strict firewall rules allowing only necessary traffic
- Implement network segmentation and monitor all traffic to/from affected devices for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check device web interface or CLI for firmware version. If version is below 1.24.0190 (NCP) or 6.61.0010 (IPL/IPM/IPU), device is vulnerable.Check Version:
Check via web interface at System > Information or via device-specific CLI commandsVerify Fix Applied:
Confirm firmware version matches patched release and test that /webcti/session_ajax.php endpoint no longer accepts PHP function injection payloads📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /webcti/session_ajax.php with PHP function patterns
- Unusual process execution from web server context
- Failed authentication attempts followed by successful session_ajax.php access
Network Indicators:
- HTTP POST requests to /webcti/session_ajax.php containing eval(), system(), exec(), or passthru() patterns
- Outbound connections from device to unknown external IPs
SIEM Query:
source="web_logs" AND uri="/webcti/session_ajax.php" AND (body="eval(" OR body="system(" OR body="exec(" OR body="passthru(")