CVE-2025-70614
Broken Access Control in OpenCode OC Messaging Allows SMS Access
Publication date: 2026-03-05
Last updated on: 2026-05-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opencode | ussd_gateway | 6.32.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized disclosure of sensitive authentication data, including OTPs used for account recovery and login verification.'}, {'type': 'paragraph', 'content': "Exploitation may result in cross-tenant data access, potentially causing account compromise and unauthorized access to other companies' SMS messages."}] [1]
Can you explain this vulnerability to me?
CVE-2025-70614 is a broken access control vulnerability in OpenCode Systems OC Messaging / USSD Gateway version 6.32.2. It exists in the web-based control panel where an authenticated user with low privileges can manipulate the company or tenant identifier parameter in HTTP requests.
By crafting this parameter, the attacker can gain unauthorized access to SMS messages and one-time password (OTP) messages belonging to other companies within the multi-tenant environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the web-based control panel of OpenCode Systems OC Messaging / USSD Gateway version 6.32.2. Specifically, look for requests where the company or tenant identifier parameter is manipulated by authenticated low-privileged users.
Commands or methods to detect this include capturing and analyzing HTTP traffic to identify unusual or unauthorized access attempts to SMS or OTP messages by modifying the tenant identifier parameter.
- Use tools like curl or wget to manually test access by changing the company or tenant identifier parameter in HTTP requests.
- Use network traffic analyzers such as Wireshark or tcpdump to capture HTTP requests and inspect parameters for suspicious modifications.
- Check web server logs for requests from authenticated low-privileged users that include unusual or unauthorized tenant identifier values.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the web-based control panel to trusted users only and reviewing authentication and authorization controls to ensure that low-privileged users cannot manipulate tenant or company identifiers.
Additionally, monitor and audit access logs for suspicious activity related to tenant identifier manipulation.
If possible, apply any available patches or updates from OpenCode Systems addressing this vulnerability.
As a temporary measure, consider disabling access to the affected web-based control panel until a fix is applied.