CVE-2025-65236 is a critical SQL injection vulnerability identified in OpenCode Systems USSD Gateway OC Release 5. The flaw exists in the handling of the Session ID parameter within the /occontrolpanel/index.php endpoint, where user-supplied input is not properly sanitized or parameterized before being incorporated into SQL queries. This allows remote attackers to inject malicious SQL code without requiring authentication or user interaction, exploiting the vulnerability over the network. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). Successful exploitation can lead to unauthorized data access, modification, or deletion, potentially resulting in full compromise of the backend database and associated systems. The CVSS v3.1 score of 9.8 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no required privileges. Although no public exploits have been reported yet, the vulnerability's characteristics make it a prime target for attackers once weaponized. The USSD gateway is typically used by telecom operators and service providers to facilitate mobile communication services, making this vulnerability particularly impactful in telecommunications environments.

For European organizations, especially telecom operators and service providers using OpenCode Systems USSD Gateway OC Release 5, this vulnerability could lead to severe consequences. Attackers could exfiltrate sensitive subscriber data, manipulate session information, or disrupt mobile service availability, undermining customer trust and regulatory compliance (e.g., GDPR). The compromise of backend databases could also facilitate further lateral movement within networks, leading to broader organizational breaches. Service outages caused by data corruption or deletion could impact millions of users, resulting in financial losses and reputational damage. Given the critical nature of telecom infrastructure in Europe, exploitation could have cascading effects on emergency services, business communications, and critical infrastructure reliant on mobile networks. Additionally, regulatory scrutiny and potential fines for data breaches could further impact affected organizations.

Organizations should immediately audit their OpenCode Systems USSD Gateway OC Release 5 deployments to identify vulnerable instances. Since no official patches are currently listed, implement the following mitigations: (1) Apply strict input validation and sanitization on the Session ID parameter, ensuring only expected formats are accepted; (2) Refactor backend code to use parameterized queries or prepared statements to prevent SQL injection; (3) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the /occontrolpanel/index.php endpoint; (4) Monitor logs for anomalous database queries or repeated failed access attempts; (5) Restrict network access to the control panel endpoint to trusted IP addresses or VPNs; (6) Conduct regular security assessments and penetration testing focusing on injection flaws; (7) Prepare incident response plans specific to database compromise scenarios. Organizations should also engage with OpenCode Systems for official patches or updates and apply them promptly once available.