CVE-2025-14577 is a critical security vulnerability identified in Slican NCP and related devices (IPL/IPM/IPU) that allows unauthenticated remote attackers to perform PHP function injection. The vulnerability stems from missing authentication controls on the /webcti/session_ajax.php endpoint, which processes requests without verifying the identity or privileges of the requester (CWE-306). By sending specially crafted HTTP requests to this endpoint, an attacker can inject and execute arbitrary PHP commands on the device, effectively gaining full control over the system. This can lead to complete compromise, including data theft, device manipulation, or denial of service. The vulnerability affects all versions prior to 1.24.0190 for NCP and 6.61.0010 for IPL/IPM/IPU devices. The issue was assigned a CVSS 4.0 base score of 9.3, indicating critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the ease of exploitation and severity make this a significant threat. The vulnerability was publicly disclosed and patched in early 2026, emphasizing the need for immediate remediation. The flaw highlights the importance of enforcing authentication on all critical management functions, especially those exposed via web interfaces.

The impact of CVE-2025-14577 is severe for organizations using affected Slican devices, which are commonly deployed in telecommunications and enterprise telephony infrastructures. Successful exploitation allows attackers to execute arbitrary code remotely without authentication, leading to full system compromise. This can result in unauthorized access to sensitive communications data, interception or manipulation of calls, disruption of telephony services, and potential lateral movement within corporate networks. The compromise of telephony infrastructure can severely disrupt business operations, damage reputation, and lead to regulatory compliance violations. Given the critical role of these devices in communication networks, the vulnerability poses a high risk to confidentiality, integrity, and availability. The lack of authentication and ease of exploitation increase the likelihood of attacks, especially in environments where these devices are exposed to untrusted networks or the internet. Organizations that fail to patch or mitigate this vulnerability may face targeted attacks or opportunistic exploitation by threat actors.

To mitigate CVE-2025-14577, organizations should immediately upgrade affected Slican devices to the fixed firmware versions: 1.24.0190 for NCP and 6.61.0010 for IPL/IPM/IPU. Until patches are applied, restrict network access to the management interfaces by implementing network segmentation and firewall rules that limit access to trusted administrators only. Disable or block access to the /webcti/session_ajax.php endpoint if possible. Employ intrusion detection and prevention systems to monitor for suspicious HTTP requests targeting this endpoint. Regularly audit device configurations to ensure no unauthorized changes have been made. Additionally, enforce strong authentication mechanisms on all management interfaces and consider deploying web application firewalls (WAFs) to detect and block injection attempts. Maintain an up-to-date inventory of affected devices to prioritize patching efforts. Finally, monitor threat intelligence feeds for any emerging exploit activity related to this vulnerability.