CVE-2026-35089
Description
In Slican telephone exchanges secure key is generated in a predictable manner using properties of the telephone exchange which can be obtained without authentication. An unauthenticated attacker can deduce the secure key and obtain admin credentials. This issue was fixed in versions below: - IPx series: version 6.61.0040 - CCT-1668: version 6.56.0430 - MAC-6400: version 6.56.0430 - CXS-0424: version 6.30.0510 The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below: - CCT-1668 (CCT1CPU) - MAC-6400 - CXS-0424 These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading.
Weakness Type (CWE)
References
Other References
Frequently Asked Questions
What is CVE-2026-35089? +
How do I check if I'm vulnerable to CVE-2026-35089? +
Related Vulnerabilities
Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they …
Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs …
Longse model LBH30FE200W cameras, as well as products based on this device, make use of telnet passwords which follow a …
Under certain circumstances the Software House C●CURE 9000 installer will utilize weak credentials.
An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device. An …
Partner Software's Partner Software Product and corresponding Partner Web application use the same default username and password for the administrator …