OpenCode Systems OC Messaging and USSD Gateway

Plan Patch8.1ICS-CERT ICSA-26-085-02Mar 26, 2026

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A flaw in parameter validation in OC Messaging and USSD Gateway versions 6.32.2 and earlier allows authenticated low-privileged users to access SMS messages and data outside their authorized tenant scope. By crafting a request with a modified company or tenant identifier parameter, a user can bypass tenant isolation controls and read messages intended for other organizations. The vulnerability affects the confidentiality of sensitive communications but does not enable modification or deletion of messages.

What this means

What could happen

An authenticated user with low-level access could read SMS messages intended for other organizations or departments by exploiting a parameter validation flaw. This could expose sensitive communications, customer data, or operational alerts meant for other tenants.

Who's at risk

Organizations using OpenCode Systems OC Messaging or USSD Gateway platforms should be aware that current versions allow authenticated users to access SMS messages and data outside their assigned scope. This affects any organization using these systems for SMS communication, including telecom providers, enterprises managing multi-tenant messaging platforms, and municipal services relying on USSD gateways.

How it could be exploited

An attacker with valid login credentials for one tenant or company account logs into OC Messaging or USSD Gateway and crafts a request with a modified company or tenant identifier parameter. The application fails to validate that the user is authorized to access that tenant's data, allowing the attacker to read SMS messages belonging to other organizations.

Prerequisites

Valid user credentials for OC Messaging or USSD Gateway with low-privileged access
Network access to the OC Messaging or USSD Gateway application
Knowledge of or ability to enumerate valid company/tenant identifier values

Authentication required but privilege level is lowCross-tenant data exposure vulnerabilityAffects confidentiality of SMS messages

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

OC Messaging: 6.32.26.32.2No fix yet

USSD Gateway: 6.32.26.32.2No fix yet

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate OC Messaging to version 6.33.11 or later

HOTFIXUpdate USSD Gateway to version 6.33.11 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to restrict access to OC Messaging and USSD Gateway applications to authorized administrators only

HARDENINGReview and enforce role-based access control (RBAC) to ensure users can only access their assigned tenant or company data

CVEs (1)

CVE-2025-70614

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3f0d506e-a20e-4a6d-a6ef-d281a4d7e54d