Cyber Resilience

CVE-2025-70614

High

Published: 05 March 2026

Published
05 March 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0026 17.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-70614 is a high-severity Improper Access Control (CWE-284) vulnerability in Opencode Ussd Gateway. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-70614 is a broken access control vulnerability (CWE-284) in OpenCode Systems OC Messaging / USSD Gateway version 6.32.2. The flaw exists in the web-based control panel, where authenticated low-privileged attackers can use a crafted company or tenant identifier parameter to gain access to arbitrary SMS messages. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant confidentiality and integrity impacts.

Low-privileged users with valid authentication to the web-based control panel can exploit this vulnerability remotely without user interaction. By manipulating the company or tenant identifier parameter, attackers achieve unauthorized access to SMS messages beyond their intended scope, potentially exposing sensitive communications across tenants or organizations.

Advisory details, including potential mitigation steps, are available in the referenced GitHub Gist at https://gist.github.com/whiteman0007/e02b8cfd6c67ff1eaaf54fba041582a1.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenCode Systems OC Messaging / USSD Gateway OC Release 6.32.2 contains a broken access control vulnerability in the web-based control panel allowing authenticated low-privileged attackers to gain to access to arbitrary SMS messages via a crafted company or tenant identifier…

more

parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Broken access control (IDOR-style tenant/company ID manipulation) in the web control panel directly enables remote exploitation of a public-facing application to access unauthorized data.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7198Shared CWE-284
CVE-2026-46818Shared CWE-284
CVE-2025-70363Shared CWE-284
CVE-2026-34310Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2026-34287Shared CWE-284
CVE-2026-44277Shared CWE-284
CVE-2025-66509Shared CWE-284
CVE-2025-50900Shared CWE-284
CVE-2025-7016Shared CWE-284

Affected Assets

opencode
ussd gateway
6.32.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations in the web-based control panel to prevent low-privileged users from accessing arbitrary SMS messages via manipulated tenant parameters.

prevent

Validates the structure and content of the crafted company or tenant identifier parameter to block unauthorized access to SMS messages across tenants.

prevent

Restricts low-privileged users to only their authorized tenant's SMS messages, mitigating the scope of unauthorized access even if enforcement is flawed.

References