CVE-2025-65238: n/a
Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access sensitive information.
AI Analysis
Technical Summary
CVE-2025-65238 is a vulnerability identified in the OpenCode Systems USSD Gateway OC Release 5 Version 6.13.11, specifically within the getSubUsersByProvider function. This function suffers from incorrect access control, classified under CWE-284, which allows attackers possessing low-level privileges to bypass intended restrictions and dump user records. The vulnerability enables unauthorized disclosure of sensitive user information, compromising confidentiality without affecting integrity or availability. The CVSS v3.1 base score is 6.5, reflecting a medium severity with network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and impacting confidentiality only (C:H/I:N/A:N). Exploitation does not require user interaction and can be performed remotely, making it a significant concern for organizations relying on this USSD gateway for mobile communication services. No patches or known exploits are currently available, indicating the need for proactive mitigation. The vulnerability could be leveraged by malicious insiders or low-privilege external attackers to harvest sensitive user data, potentially facilitating further attacks or privacy violations.
Potential Impact
For European organizations, particularly telecom operators and mobile service providers using OpenCode Systems USSD Gateway OC Release 5 Version 6.13.11, this vulnerability poses a risk of sensitive user data exposure. Confidentiality breaches can lead to privacy violations, regulatory non-compliance (e.g., GDPR), reputational damage, and potential financial penalties. Since USSD gateways are integral to mobile network services, exploitation could undermine customer trust and service integrity. Although the vulnerability does not affect system availability or integrity, the unauthorized disclosure of user records could facilitate identity theft, targeted phishing, or social engineering attacks. The impact is heightened in countries with strict data protection laws and large mobile user bases. Organizations may also face increased scrutiny from regulators if they fail to address this vulnerability promptly.
Mitigation Recommendations
1. Implement strict access control policies ensuring that the getSubUsersByProvider function is accessible only to authorized high-privilege users. 2. Conduct thorough privilege audits to identify and restrict low-level user permissions that could be exploited. 3. Monitor and log all access to user records, with alerts for unusual or bulk data retrieval activities. 4. Apply network segmentation to limit exposure of the USSD gateway to trusted internal networks only. 5. Engage with OpenCode Systems for official patches or updates and apply them as soon as they become available. 6. Conduct regular security assessments and penetration testing focused on access control mechanisms. 7. Educate staff about the risks of privilege misuse and enforce strict operational security policies. 8. Consider implementing additional application-layer controls such as rate limiting and anomaly detection to detect exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands
CVE-2025-65238: n/a
Description
Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access sensitive information.
AI-Powered Analysis
Technical Analysis
CVE-2025-65238 is a vulnerability identified in the OpenCode Systems USSD Gateway OC Release 5 Version 6.13.11, specifically within the getSubUsersByProvider function. This function suffers from incorrect access control, classified under CWE-284, which allows attackers possessing low-level privileges to bypass intended restrictions and dump user records. The vulnerability enables unauthorized disclosure of sensitive user information, compromising confidentiality without affecting integrity or availability. The CVSS v3.1 base score is 6.5, reflecting a medium severity with network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and impacting confidentiality only (C:H/I:N/A:N). Exploitation does not require user interaction and can be performed remotely, making it a significant concern for organizations relying on this USSD gateway for mobile communication services. No patches or known exploits are currently available, indicating the need for proactive mitigation. The vulnerability could be leveraged by malicious insiders or low-privilege external attackers to harvest sensitive user data, potentially facilitating further attacks or privacy violations.
Potential Impact
For European organizations, particularly telecom operators and mobile service providers using OpenCode Systems USSD Gateway OC Release 5 Version 6.13.11, this vulnerability poses a risk of sensitive user data exposure. Confidentiality breaches can lead to privacy violations, regulatory non-compliance (e.g., GDPR), reputational damage, and potential financial penalties. Since USSD gateways are integral to mobile network services, exploitation could undermine customer trust and service integrity. Although the vulnerability does not affect system availability or integrity, the unauthorized disclosure of user records could facilitate identity theft, targeted phishing, or social engineering attacks. The impact is heightened in countries with strict data protection laws and large mobile user bases. Organizations may also face increased scrutiny from regulators if they fail to address this vulnerability promptly.
Mitigation Recommendations
1. Implement strict access control policies ensuring that the getSubUsersByProvider function is accessible only to authorized high-privilege users. 2. Conduct thorough privilege audits to identify and restrict low-level user permissions that could be exploited. 3. Monitor and log all access to user records, with alerts for unusual or bulk data retrieval activities. 4. Apply network segmentation to limit exposure of the USSD gateway to trusted internal networks only. 5. Engage with OpenCode Systems for official patches or updates and apply them as soon as they become available. 6. Conduct regular security assessments and penetration testing focused on access control mechanisms. 7. Educate staff about the risks of privilege misuse and enforce strict operational security policies. 8. Consider implementing additional application-layer controls such as rate limiting and anomaly detection to detect exploitation attempts.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2025-11-18T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 69272cad6d0980878b3dd34e
Added to database: 11/26/2025, 4:37:01 PM
Last enriched: 12/3/2025, 5:35:44 PM
Last updated: 1/11/2026, 12:43:01 PM
Views: 68
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-15506: Out-of-Bounds Read in AcademySoftwareFoundation OpenColorIO
MediumYARA-X 1.11.0 Release: Hash Function Warnings, (Sun, Jan 11th)
MediumCVE-2026-0843: SQL Injection in jiujiujia jjjfood
MediumCVE-2026-0842: Missing Authentication in Flycatcher Toys smART Sketcher
MediumCVE-2026-0841: Buffer Overflow in UTT 进取 520W
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.