OpenCode Systems OC Messaging and USSD Gateway

Plan PatchCVSS 8.1ICS-CERT ICSA-26-085-02Mar 26, 2026

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in OpenCode Systems OC Messaging and USSD Gateway allows authenticated low-privileged users to access SMS messages outside their authorized tenant scope by manipulating company or tenant identifier parameters. This enables cross-tenant data access and potential exposure of sensitive communications including authentication codes and operational alerts. The vendor remediated the issue on January 6, 2026 with the release of version 6.33.11.

What this means

What could happen

An authenticated user with low privileges could access SMS messages belonging to other customers or tenants, compromising confidentiality of communications that may contain sensitive information like authentication codes or operational alerts.

Who's at risk

Operators and administrators of OpenCode Systems OC Messaging and USSD Gateway platforms used for SMS communications in utilities, emergency services, or any organization managing multi-tenant messaging systems where SMS confidentiality is critical.

How it could be exploited

An attacker with valid login credentials (even low-privilege account) could manipulate the company or tenant identifier parameter in API requests to retrieve SMS messages from other tenant accounts. This could be done through direct API calls or through the web interface by modifying request parameters.

Prerequisites

Valid authenticated user account (low-privileged sufficient)
Access to OC Messaging or USSD Gateway interface or API
Knowledge of other tenant or company identifiers

Authenticated access requiredLow complexity exploitationMulti-tenant data exposureSensitive communications compromise

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

2 pending

ProductAffected VersionsFix Status

OC Messaging: 6.32.26.32.2No fix yet

USSD Gateway: 6.32.26.32.2No fix yet

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGReview audit logs for any unauthorized access to SMS messages or cross-tenant data retrieval attempts

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate OC Messaging to version 6.33.11 or later

HOTFIXUpdate USSD Gateway to version 6.33.11 or later

Long-term hardening

0/1

HARDENINGRestrict administrative access to account management interfaces using firewall rules or network segmentation

CVEs (1)

CVE-2025-70614

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3f0d506e-a20e-4a6d-a6ef-d281a4d7e54d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.