CVE-2025-70614
Received Received - Intake
Broken Access Control in OpenCode OC Messaging Allows SMS Access

Publication date: 2026-03-05

Last updated on: 2026-05-06

Assigner: MITRE

Description
OpenCode Systems OC Messaging / USSD Gateway OC Release 6.32.2 contains a broken access control vulnerability in the web-based control panel allowing authenticated low-privileged attackers to gain to access to arbitrary SMS messages via a crafted company or tenant identifier parameter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-70614
EUVD
EUVD-2025-208325
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opencode ussd_gateway 6.32.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-70614 is a broken access control vulnerability in OpenCode Systems OC Messaging / USSD Gateway version 6.32.2. It exists in the web-based control panel where an authenticated user with low privileges can manipulate the company or tenant identifier parameter in HTTP requests.

By crafting this parameter, the attacker can gain unauthorized access to SMS messages and one-time password (OTP) messages belonging to other companies within the multi-tenant environment.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized disclosure of sensitive authentication data, including OTPs used for account recovery and login verification.'}, {'type': 'paragraph', 'content': "Exploitation may result in cross-tenant data access, potentially causing account compromise and unauthorized access to other companies' SMS messages."}] [1]

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the web-based control panel of OpenCode Systems OC Messaging / USSD Gateway version 6.32.2. Specifically, look for requests where the company or tenant identifier parameter is manipulated by authenticated low-privileged users.

Commands or methods to detect this include capturing and analyzing HTTP traffic to identify unusual or unauthorized access attempts to SMS or OTP messages by modifying the tenant identifier parameter.

  • Use tools like curl or wget to manually test access by changing the company or tenant identifier parameter in HTTP requests.
  • Use network traffic analyzers such as Wireshark or tcpdump to capture HTTP requests and inspect parameters for suspicious modifications.
  • Check web server logs for requests from authenticated low-privileged users that include unusual or unauthorized tenant identifier values.
Mitigation Strategies

Immediate mitigation steps include restricting access to the web-based control panel to trusted users only and reviewing authentication and authorization controls to ensure that low-privileged users cannot manipulate tenant or company identifiers.

Additionally, monitor and audit access logs for suspicious activity related to tenant identifier manipulation.

If possible, apply any available patches or updates from OpenCode Systems addressing this vulnerability.

As a temporary measure, consider disabling access to the affected web-based control panel until a fix is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70614. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart