CP
cyberpings
VulnerabilitiesHIGH

Vulnerability in OpenCode Systems - Access SMS Messages

CICISA Advisories
CVE-2025-70614OpenCode SystemsOC MessagingUSSD Gateway
🎯

Basically, a flaw lets some users see others' SMS messages without permission.

Quick Summary

A vulnerability in OpenCode Systems' messaging products allows unauthorized access to SMS messages. This affects users of version 6.32.2, posing serious privacy risks. Immediate updates are recommended to mitigate the threat.

The Flaw

OpenCode Systems has identified a serious vulnerability in its OC Messaging and USSD Gateway products. This flaw, tracked as CVE-2025-70614, allows an authenticated low-privileged user to access SMS messages outside their authorized tenant scope. The vulnerability arises from improper access control, specifically through a crafted company or tenant identifier parameter.

The affected version is 6.32.2 for both OC Messaging and USSD Gateway. This means that if you are using these versions, your system may be at risk of unauthorized access to sensitive SMS messages, which could lead to privacy violations and data breaches.

What's at Risk

The potential impact of this vulnerability is significant. If exploited, it could allow unauthorized users to view SMS messages that are not intended for them. This could lead to exposure of sensitive information, including personal data and business communications. Given that these systems are used across various critical infrastructure sectors, the implications could extend beyond individual privacy concerns to broader security risks.

Organizations relying on OpenCode Systems for messaging services should be particularly vigilant. The vulnerability's CVSS score of 8.1 categorizes it as high severity, indicating that it poses a considerable risk to users and their data.

Patch Status

OpenCode Systems has acted swiftly to address this vulnerability. The company identified the issue on January 5, 2026, and a patch was released the very next day, on January 6, 2026, in version 6.33.11. Users are strongly encouraged to update their systems to this latest version to mitigate the risks associated with this vulnerability.

Additionally, organizations should conduct a thorough review of their security protocols and ensure that all systems are running the most current software versions to protect against potential exploits.

Immediate Actions

To protect against this vulnerability, users should take immediate steps:

  • Update to the latest version (6.33.11) of OpenCode Systems OC Messaging and USSD Gateway.
  • Review access controls and permissions for users within the system to ensure they align with organizational policies.
  • Monitor for any unusual access patterns or unauthorized attempts to access SMS messages.

Furthermore, organizations should implement best practices for cybersecurity, such as minimizing network exposure for control systems and utilizing secure remote access methods like VPNs. Following these guidelines can help safeguard against potential exploitation of vulnerabilities like CVE-2025-70614.

🔒 Pro insight: The rapid patch release indicates OpenCode Systems' commitment to security, but users must remain vigilant for potential exploitation attempts.

Original article from

CISA Advisories · CISA

Read Full Article

Share

Related Pings

CRITICALVulnerabilities

CVE-2026-33634 - Critical Vulnerability Added to CISA Catalog

CISA has added a new critical vulnerability to its KEV Catalog. CVE-2026-33634 affects Aqua Security's Trivy, posing risks to federal networks. Organizations must act quickly to mitigate potential threats.

CISA Advisories·
HIGHVulnerabilities

iOS 26 Security - Leaked Tools Expose Millions to Spyware

Leaked hacking tools put millions of older iPhones at risk. Cybersecurity experts warn that outdated devices are vulnerable to spyware attacks. Users must update their software to stay safe.

TechCrunch Security·
HIGHVulnerabilities

Vulnerabilities in AI-Generated Code - Researchers Warn

Researchers at Georgia Tech have found a sharp rise in vulnerabilities linked to AI-generated code. This surge in CVEs raises serious concerns for software security. Developers must be vigilant as AI tools become more prevalent in coding practices.

Infosecurity Magazine·
CRITICALVulnerabilities

Langflow Vulnerability - CISA Warns of Critical Code Injection

CISA has flagged a critical code injection vulnerability in Langflow, tracked as CVE-2026-33017. This flaw allows attackers to exploit the platform without authentication. Organizations must act quickly to apply patches or discontinue use to avoid serious risks.

Cyber Security News·
CRITICALVulnerabilities

PTC Windchill - Critical Remote Code Execution Vulnerability

A critical vulnerability in PTC Windchill could allow attackers to execute code remotely. Affected versions include several Windchill and FlexPLM releases. Immediate action is essential to protect systems from exploitation.

CISA Advisories·
HIGHVulnerabilities

IDrive Vulnerability - Attackers Can Escalate Privileges

A critical vulnerability in IDrive for Windows allows attackers to escalate privileges. This flaw affects users of versions 7.0.0.63 and earlier, putting their systems at risk. Immediate action is necessary until a patch is released.

Cyber Security News·