Improper Access Control in OpenCode Systems OC Messaging and USSD Gateway (CVE‑2025‑70614) Enables Cross‑Tenant SMS Access
What It Is – A web‑access vulnerability (CVE‑2025‑70614) in OpenCode Systems OC Messaging and USSD Gateway (v6.32.2) permits an authenticated low‑privileged user to retrieve SMS messages belonging to another tenant by supplying a crafted identifier parameter.
Exploitability – The flaw is publicly disclosed, has a CVSS v3.1 base score of 8.1 (High), and can be exploited remotely by any authenticated user. No public exploit code has been released, but the attack surface is trivial once a user account exists.
Affected Products – OpenCode Systems OC Messaging 6.32.2 and OpenCode Systems USSD Gateway 6.32.2.
TPRM Impact – Organizations that rely on OpenCode’s messaging platform as a third‑party service risk inadvertent exposure of confidential communications, potential regulatory violations (e.g., GDPR, HIPAA), and downstream reputational damage.
Recommended Actions –
- Deploy OpenCode Systems version 6.33.11 or later immediately.
- Verify tenant‑isolation controls and enforce strict role‑based access policies.
- Review audit logs for any cross‑tenant message accesses since the vulnerability’s disclosure.
- Conduct a risk assessment of any data that may have been exposed and notify affected parties if required.
- Incorporate the vendor’s remediation timeline into your supplier‑risk program.
Source: CISA Advisory – ICSA‑26‑085‑02