Compliance Impact

This vulnerability allows remote attackers to execute arbitrary code on the target server by exploiting insecure deserialization in the sms-core framework. Such unauthorized code execution can lead to unauthorized access, data breaches, or manipulation of sensitive information.

Consequently, organizations using affected versions of sms-core may face challenges in maintaining compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Failure to remediate this vulnerability could result in violations of these regulations due to potential data compromise, leading to legal and financial repercussions.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-37579 is a critical insecure deserialization vulnerability in the sms-core framework, specifically affecting versions up to 2.1.13.6 when using the CMPP 7F protocol. The flaw exists in the Cmpp7FDeliverRequestMessageCodec.decode() method, which deserializes the attachment field without validating the serialized data.

This lack of validation allows attackers to craft malicious serialized payloads that execute arbitrary code on the target server. The vulnerability arises because the FST serialization utility used does not enforce a class whitelist, enabling arbitrary class deserialization.

An attacker can send a specially crafted CMPP 7F protocol message containing a malicious payload embedded in the attachment field. When the server processes this message, it deserializes the payload, triggering the execution of arbitrary code remotely without authentication.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary code on the affected server running the vulnerable sms-core version. This can lead to full compromise of the server, including unauthorized access, data theft, service disruption, or use of the server as a foothold for further attacks.

Since the exploit bypasses authentication and can be triggered remotely if the server is exposed to untrusted networks, it poses a significant security risk to organizations using the vulnerable sms-core framework.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for incoming CMPP 7F protocol messages containing suspicious or malformed serialized payloads in the attachment field, which are processed by the vulnerable sms-core versions (≤ 2.1.13.6).

Since the exploit involves deserialization of malicious objects, network detection could involve capturing and analyzing CMPP Deliver Request messages for unusual serialized data patterns.

Specific commands are not provided in the resources, but general approaches include using network packet capture tools like tcpdump or Wireshark to filter CMPP 7F protocol traffic, for example:

• tcpdump -i <interface> -w capture.pcap 'tcp port <CMPP_port>'
• Then analyze the capture with Wireshark or custom scripts to inspect the attachment field for suspicious serialized payloads.

Additionally, monitoring server logs for unexpected deserialization errors or execution of unusual commands (like calc.exe) may help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Update sms-core to a patched version that fixes the insecure deserialization vulnerability.
• Implement strict input validation on the deserialized data, especially the attachment field in CMPP 7F protocol messages.
• Configure the FST serialization library to use a class whitelist, preventing deserialization of arbitrary classes.
• Restrict network access to the SMS gateway server to trusted sources only, minimizing exposure to untrusted networks.

Useful 0 Not Useful 0