CVE-2025-70614
Published: 05 March 2026
Summary
CVE-2025-70614 is a high-severity Improper Access Control (CWE-284) vulnerability in Opencode Ussd Gateway. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-70614 is a broken access control vulnerability (CWE-284) in OpenCode Systems OC Messaging / USSD Gateway version 6.32.2. The flaw exists in the web-based control panel, where authenticated low-privileged attackers can use a crafted company or tenant identifier parameter to gain access to arbitrary SMS messages. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant confidentiality and integrity impacts.
Low-privileged users with valid authentication to the web-based control panel can exploit this vulnerability remotely without user interaction. By manipulating the company or tenant identifier parameter, attackers achieve unauthorized access to SMS messages beyond their intended scope, potentially exposing sensitive communications across tenants or organizations.
Advisory details, including potential mitigation steps, are available in the referenced GitHub Gist at https://gist.github.com/whiteman0007/e02b8cfd6c67ff1eaaf54fba041582a1.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208325
Vulnerability details
OpenCode Systems OC Messaging / USSD Gateway OC Release 6.32.2 contains a broken access control vulnerability in the web-based control panel allowing authenticated low-privileged attackers to gain to access to arbitrary SMS messages via a crafted company or tenant identifier…
more
parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Broken access control (IDOR-style tenant/company ID manipulation) in the web control panel directly enables remote exploitation of a public-facing application to access unauthorized data.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations in the web-based control panel to prevent low-privileged users from accessing arbitrary SMS messages via manipulated tenant parameters.
Validates the structure and content of the crafted company or tenant identifier parameter to block unauthorized access to SMS messages across tenants.
Restricts low-privileged users to only their authorized tenant's SMS messages, mitigating the scope of unauthorized access even if enforcement is flawed.