CVE-2025-65236 identifies a SQL injection vulnerability within OpenCode Systems USSD Gateway OC Release 5, specifically in the /occontrolpanel/index.php endpoint through the Session ID parameter. SQL injection vulnerabilities occur when untrusted input is improperly sanitized before being incorporated into SQL queries, allowing attackers to execute arbitrary SQL commands. In this case, the Session ID parameter is vulnerable, enabling attackers to manipulate database queries. This could lead to unauthorized data disclosure, data modification, or even full compromise of the backend database. USSD gateways are critical components in telecom infrastructure, facilitating communication between mobile devices and network services. Compromise of such a gateway could disrupt telecom services or expose sensitive subscriber data. The vulnerability does not require authentication or user interaction, making it easier for attackers to exploit remotely. Although no public exploits are currently known, the vulnerability's presence in a widely used telecom component raises significant concern. The lack of a CVSS score necessitates an independent severity assessment based on impact and exploitability factors. The vulnerability was published on November 26, 2025, shortly after its reservation date, indicating recent discovery. No patches or mitigations have been officially released yet, emphasizing the need for immediate defensive measures.

For European organizations, particularly telecom operators and service providers using OpenCode Systems USSD Gateway OC Release 5, this vulnerability could lead to severe consequences. Attackers exploiting the SQL injection could access or alter sensitive subscriber information, including session data and potentially billing or authentication records. This breach of confidentiality could result in regulatory penalties under GDPR and damage to customer trust. Additionally, manipulation of the database could disrupt USSD services, impacting availability and causing operational outages. Given the critical role of USSD in mobile communications, such disruptions could affect large user bases and emergency services. The vulnerability's ease of exploitation without authentication increases the risk of widespread attacks. Furthermore, attackers could leverage this access as a foothold for lateral movement within telecom networks, escalating the threat to broader infrastructure. The absence of known exploits currently provides a window for proactive defense, but also means organizations must act swiftly to prevent future attacks. Overall, the impact spans confidentiality, integrity, and availability, with potential regulatory, financial, and reputational repercussions for affected European entities.

European organizations should immediately audit their USSD gateway deployments to identify the presence of OpenCode Systems USSD Gateway OC Release 5. Until an official patch is released, implement strict input validation and sanitization on the Session ID parameter to prevent injection of malicious SQL code. Employ parameterized queries or prepared statements in the application code to eliminate direct concatenation of user inputs into SQL commands. Restrict access to the /occontrolpanel/index.php endpoint by enforcing network-level controls such as IP whitelisting and VPN-only access. Enable detailed logging and monitoring of access to the control panel and database queries to detect suspicious activity indicative of exploitation attempts. Conduct regular security assessments and penetration testing focused on injection vulnerabilities. Coordinate with OpenCode Systems for timely patch deployment once available. Additionally, implement web application firewalls (WAFs) with rules targeting SQL injection patterns as an interim protective measure. Educate operational staff about the vulnerability and response procedures to ensure rapid incident handling. Finally, review and enhance overall database security, including least privilege principles and segmentation, to limit potential damage from any successful exploit.