ACCORDING to CISA, the ICS Advisory ICSA-26-085-02 addresses a vulnerability in OpenCode Systems OC Messaging and USSD Gateway that could allow an authenticated low-privileged user to access SMS messages outside of their authorised tenant scope via a crafted company or tenant identifier parameter. The affected products are OC Messaging 6.32.2 and USSD Gateway 6.32.2, both associated with CVE-2025-70614 and carrying a CVSS v3.1 base score of 8.1 (HIGH).
OpenCode Systems identified the issue on 5 January 2026 and remediated it on 6 January 2026 with the release of version 6.33.11. The advisory notes the vulnerability arises from improper access control and provides mitigation guidance, including minimising network exposure and isolating control system networks behind firewalls, with secure remote access such as updated VPNs. The background lists worldwide deployment in the communications sector and Bulgaria as the company headquarters location. Acknowledgements credit Hussein Amer for reporting the vulnerability to CISA.