CVE-2025-65235 is a critical SQL injection vulnerability identified in OpenCode Systems USSD Gateway OC Release 5 Version 6.13.11. The vulnerability arises from improper sanitization of the ID parameter within the getSubUsersByProvider function, allowing attackers to inject malicious SQL queries. This flaw enables remote, unauthenticated attackers to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or complete compromise of the database server. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The CVSS v3.1 base score of 9.8 reflects the vulnerability's ease of exploitation (no privileges or user interaction required), network attack vector, and its severe impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability's characteristics suggest it could be weaponized quickly. The affected product, OpenCode Systems USSD Gateway, is typically used by telecom operators to manage USSD services, which are critical for mobile network operations and customer interactions. Exploitation could allow attackers to access sensitive subscriber data, disrupt USSD services, or pivot to further network compromise. The lack of available patches at the time of disclosure increases the urgency for organizations to implement interim mitigations and monitor for suspicious activity.

For European organizations, particularly telecom operators and service providers using OpenCode Systems USSD Gateway, this vulnerability poses a severe risk. Successful exploitation could lead to unauthorized access to subscriber information, including personal and billing data, violating GDPR and other data protection regulations. Integrity of subscriber databases could be compromised, leading to fraudulent activities or service manipulation. Availability of USSD services, which are often used for critical mobile banking, customer support, and network management, could be disrupted, impacting millions of users. The reputational damage and regulatory penalties resulting from data breaches or service outages could be substantial. Additionally, attackers could leverage this vulnerability as a foothold to escalate privileges and move laterally within the network, threatening broader organizational assets. Given the critical nature of telecom infrastructure in Europe, such an attack could have cascading effects on communication services and emergency response capabilities.

Immediate mitigation should focus on input validation and sanitization of the ID parameter in the getSubUsersByProvider function to prevent SQL injection. Organizations should deploy Web Application Firewalls (WAFs) with rules specifically targeting SQL injection patterns to provide a protective barrier until a vendor patch is available. Network segmentation should be enforced to limit access to the USSD Gateway backend databases. Monitoring and logging of database queries and application logs should be enhanced to detect anomalous activities indicative of injection attempts. If possible, restrict network access to the USSD Gateway management interfaces to trusted IP addresses only. Organizations should engage with OpenCode Systems for official patches or updates and apply them promptly once released. Conducting regular security assessments and penetration testing focused on injection vulnerabilities is recommended to identify and remediate similar issues proactively. Finally, ensure incident response plans include scenarios for SQL injection attacks on critical telecom infrastructure.