CVE-2025-65238 is a security vulnerability identified in the OpenCode Systems USSD Gateway OC Release 5, specifically version 6.13.11. The vulnerability arises from incorrect access control in the getSubUsersByProvider function, which is designed to retrieve user records associated with a given provider. Due to insufficient access restrictions, attackers possessing only low-level privileges can exploit this flaw to dump user records, thereby gaining unauthorized access to sensitive information. The vulnerability does not require elevated privileges or complex attack vectors, making it relatively easy to exploit once access to the system is obtained. The USSD Gateway is typically used by telecommunications providers to manage USSD sessions, which are critical for mobile banking, service subscriptions, and other telecom services. Exposure of user data through this vulnerability could lead to privacy breaches, identity theft, and further targeted attacks. Although no public exploits have been reported yet, the vulnerability's presence in a critical telecom component suggests a high risk if left unmitigated. The lack of a CVSS score indicates that the vulnerability is newly published and pending formal severity assessment. However, based on the nature of the flaw—unauthorized data disclosure via access control failure—the threat is significant. The vulnerability affects all deployments running the specified version of the USSD Gateway, and no patch links are currently available, indicating that organizations must rely on configuration changes or vendor advisories for mitigation.

For European organizations, the impact of CVE-2025-65238 could be substantial, particularly for telecom operators and financial institutions that utilize USSD services for customer interactions and transactions. Unauthorized access to user records can lead to the exposure of personally identifiable information (PII), financial data, and authentication credentials, undermining customer trust and violating data protection regulations such as GDPR. The compromise of sensitive user data could facilitate identity theft, fraud, and targeted phishing attacks. Additionally, the breach could result in regulatory penalties and reputational damage. Since USSD gateways are integral to mobile network operations, exploitation of this vulnerability could disrupt service integrity and availability indirectly by enabling further attacks. The risk is heightened in countries with widespread USSD usage for mobile payments and banking, common in both urban and rural areas. The absence of known exploits in the wild provides a window for proactive defense, but the ease of exploitation means that attackers with minimal privileges could leverage this vulnerability rapidly once discovered.

Organizations should immediately audit and tighten access controls around the getSubUsersByProvider function within the OpenCode Systems USSD Gateway. Restrict access strictly to authorized administrative roles and implement role-based access control (RBAC) policies to prevent low-privilege users from invoking sensitive functions. Network segmentation and strict firewall rules should limit access to the USSD Gateway management interfaces. Monitoring and logging of access to user data retrieval functions should be enhanced to detect anomalous or unauthorized queries. In the absence of an official patch, organizations should engage with OpenCode Systems for guidance and prioritize deployment of any forthcoming security updates. Additionally, consider implementing data encryption at rest and in transit to reduce the impact of potential data leaks. Conduct regular security assessments and penetration testing focused on access control mechanisms. Finally, prepare incident response plans specific to data breaches involving USSD services to minimize damage in case of exploitation.