PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-37579 SMSGate CVE debrief

A deserialization vulnerability in SMSGate sms-core versions 2.1.13.6 and earlier allows remote code execution through the Cmpp7FDeliverRequestMessageCodec.java component. The vulnerability was disclosed on May 28, 2026, with a proof-of-concept reference published to GitHub. No CVSS score or severity rating has been assigned by NVD at this time. The affected vendor and product details remain under review pending additional authoritative sources.

Vendor
SMSGate
Product
sms-core
CVSS
HIGH 7.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations operating SMS gateway infrastructure, telecommunications providers using CMPP protocol implementations, security teams monitoring Java deserialization attack vectors

Technical summary

The vulnerability exists in the Cmpp7FDeliverRequestMessageCodec.java component of SMSGate sms-core, a Java-based SMS gateway implementation. The China Mobile Peer-to-Peer (CMPP) protocol handler fails to properly validate deserialized objects, permitting attackers to inject malicious payloads that execute arbitrary code when processed. This represents a critical attack surface for telecommunications infrastructure relying on CMPP 7.0 message handling.

Defensive priority

high

Recommended defensive actions

  • Review SMSGate sms-core deployments and identify systems running version 2.1.13.6 or earlier
  • Apply network segmentation to restrict access to SMS gateway components
  • Monitor for deserialization attack patterns targeting Java applications
  • Await vendor security advisory for official patch guidance
  • Review application logs for anomalous Cmpp7FDeliverRequestMessageCodec.java activity

Evidence notes

CVE published 2026-05-28. Source reference indicates deserialization vulnerability in Java-based SMS gateway component. No vendor advisory or patch information available in source corpus.

Official resources

2026-05-28