CVE-2025-70614 identifies a broken access control vulnerability in OpenCode Systems OC Messaging / USSD Gateway OC Release 6.32.2. The vulnerability resides in the web-based control panel interface, where authenticated users with low privileges can exploit insufficient authorization checks. By crafting requests that manipulate the company or tenant identifier parameter, attackers can bypass intended access restrictions and retrieve arbitrary SMS messages belonging to other companies or tenants. This unauthorized access to SMS data can lead to exposure of sensitive communications, potentially including personal, financial, or operational information. The vulnerability does not require elevated privileges beyond authentication, making it easier for insiders or compromised low-privileged accounts to exploit. No CVSS score has been assigned yet, and no public exploits or patches are currently known. The issue highlights a failure in enforcing proper access control mechanisms on multi-tenant parameters within the control panel, which is critical in environments handling sensitive messaging data. Given the nature of the product—used in telecommunications and messaging gateways—the impact of unauthorized message disclosure can be significant. The vulnerability was reserved in January 2026 and published in March 2026, indicating recent discovery and disclosure. Organizations relying on this software should prioritize assessment and remediation to prevent data breaches.

The primary impact of CVE-2025-70614 is the unauthorized disclosure of SMS messages across company or tenant boundaries, violating confidentiality. This can lead to leakage of sensitive personal, corporate, or operational information, potentially facilitating further attacks such as social engineering, fraud, or espionage. The integrity and availability of the messaging system are not directly affected, but the breach of confidentiality alone can cause reputational damage, regulatory penalties, and loss of customer trust. Since exploitation requires only low-privileged authenticated access, the attack surface includes insiders, compromised user accounts, or attackers who have gained minimal access. Organizations with multi-tenant deployments or shared infrastructure are particularly vulnerable. The lack of known exploits suggests limited immediate threat, but the vulnerability's presence in critical telecom infrastructure could attract targeted attacks. Overall, the threat poses a high risk to organizations handling sensitive SMS communications, especially in regulated industries or regions with strict data privacy laws.

To mitigate CVE-2025-70614, organizations should implement the following specific measures: 1) Restrict access to the OC Messaging / USSD Gateway web control panel to trusted administrators only, using network segmentation and strong authentication mechanisms such as multi-factor authentication. 2) Conduct a thorough review and hardening of access control logic in the control panel, ensuring that company or tenant identifier parameters are properly validated and enforced to prevent unauthorized data access. 3) Monitor and audit access logs for unusual patterns, such as requests with manipulated tenant identifiers or access from unexpected accounts. 4) Engage with OpenCode Systems for updates or patches addressing this vulnerability and apply them promptly once available. 5) Consider implementing additional application-layer security controls like Web Application Firewalls (WAFs) to detect and block suspicious parameter tampering attempts. 6) Educate users about the risks of credential compromise and enforce strong password policies to reduce the risk of low-privileged account misuse. 7) If feasible, isolate tenant data storage and access paths to minimize cross-tenant data exposure risks. These targeted actions go beyond generic advice by focusing on the specific access control weakness and operational context of the affected product.