OpenCode Systems Patches High-Severity Access Control Flaw in Messaging Gateways

The Bulgarian telecommunications software provider OpenCode Systems patched a high-severity access control vulnerability in its messaging and USSD gateway products. The flaw allows authenticated users with low privileges to bypass tenant isolation and view sensitive SMS data belonging to other organizations or individuals.

The vulnerability is tracked as CVE-2025-70614 (CVSS score 8.1) — An improper access control vulnerability (IDOR) in the web interface of OC Messaging and USSD Gateway that occurs when the system fails to validate tenant identifiers. Attackers can exploit this by crafting company or tenant parameters in web requests to bypass isolation boundaries. This allows an authenticated user to access and read SMS messages belonging to other tenants on the same system.

The vulnerability breaks the multi-tenancy security model essential for service providers handling diverse client data. A malicious actor could steal private SMS communications, potentially exposing one-time passwords (OTPs), personal data, or sensitive business information. Because these gateways often sit at the core of mobile network operations, a breach poses significant privacy risks and could lead to large-scale data disclosure across multiple customer accounts.

The security flaw impacts two primary components of the OpenCode Systems portfolio:

• OC Messaging version 6.32.2
• USSD Gateway version 6.32.2. T

Organizations must upgrade to version 6.33.11 or later to resolve the access control flaw. CISA also recommends isolating these control systems from the public internet and using secure VPNs for any necessary remote management to prevent unauthorized network access.