CVE-2025-65239 is a security vulnerability identified in the OpenCode Systems USSD Gateway OC Release 5, specifically version 6.13.11. The flaw resides in the /aux1/ocussd/trace endpoint, which suffers from incorrect access control mechanisms. This misconfiguration allows attackers who possess only low-level privileges—potentially standard user accounts or minimally privileged service accounts—to access and read server log files. Server logs often contain sensitive information such as system events, error messages, user activity, and potentially credentials or tokens, which can be leveraged for further attacks or reconnaissance. The vulnerability does not require elevated privileges or user interaction, increasing its risk profile. Although no CVSS score has been assigned and no known exploits have been reported in the wild, the flaw represents a significant information disclosure risk. The lack of patch information suggests that vendors or users have yet to address this issue, emphasizing the need for immediate attention. The vulnerability is categorized as an access control weakness, which is a common and critical security concern in web-facing applications and services. Given the nature of USSD gateways, which are integral to telecom operations and mobile service delivery, exploitation could impact telecommunications providers and their customers.

For European organizations, especially telecom operators and service providers using OpenCode Systems USSD Gateway OC Release 5 version 6.13.11, this vulnerability could lead to unauthorized disclosure of sensitive operational data. Exposure of server logs may reveal system configurations, user activities, error states, or even sensitive authentication tokens, enabling attackers to plan further intrusions or disrupt services. This could result in loss of confidentiality, potential regulatory non-compliance (e.g., GDPR breaches if personal data is exposed), reputational damage, and operational disruptions. Since USSD gateways are critical infrastructure components for mobile network operators, exploitation could indirectly affect millions of users relying on mobile services. The vulnerability’s ease of exploitation by low-privileged users increases the risk of insider threats or lateral movement within compromised networks. Although no active exploitation is reported, the potential impact on confidentiality and trust in telecom services is significant.

To mitigate this vulnerability, organizations should immediately audit and restrict access controls on the /aux1/ocussd/trace endpoint to ensure only authorized, high-privilege users can access server logs. Network segmentation and firewall rules should be applied to limit exposure of this endpoint to trusted internal networks only. Implement strict authentication and authorization mechanisms, including role-based access control (RBAC), to prevent low-privileged users from accessing sensitive endpoints. Regularly monitor access logs for unusual or unauthorized attempts to access the /aux1/ocussd/trace endpoint. If possible, disable or remove unnecessary diagnostic endpoints in production environments. Engage with OpenCode Systems for official patches or updates addressing this vulnerability and apply them promptly once available. Additionally, conduct internal security assessments and penetration tests focusing on access control weaknesses in telecom infrastructure components. Finally, ensure incident response plans include procedures for handling potential information disclosure incidents related to this vulnerability.