PatchSiren cyber security CVE debrief
CVE-2025-70614 Unknown Vendor CVE debrief
CVE-2025-70614 is an authenticated access-control flaw in OpenCode Systems Custom Messaging Gateway 6.32.2. CISA’s advisory states that one authenticated user can access another authenticated user’s messages by using a crafted identifier parameter. The issue was publicly disclosed on 2026-03-26 and the advisory was revised on 2026-04-16 to update title and product information. CISA indicates the vulnerability was remediated in version 6.33.11.
- Vendor
- Unknown Vendor
- Product
- OpenCode Systems OC Messaging 6.32.2 Custom Messaging Gateway
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-26
- Original CVE updated
- 2026-04-16
- Advisory published
- 2026-03-26
- Advisory updated
- 2026-04-16
Who should care
Administrators, security teams, and operators responsible for OC Messaging / Custom Messaging Gateway deployments should prioritize this issue, especially where authenticated users can view sensitive communications. Identity and access-control owners should also review authorization boundaries for message retrieval endpoints.
Technical summary
The source advisory describes a web access vulnerability that allows an authenticated user to retrieve another authenticated user’s messages by supplying a crafted identifier parameter. This aligns with a broken access control / improper authorization condition (CWE-284 is referenced in the source corpus). The supplied CVSS vector rates the issue as network exploitable, low complexity, low privileges, and no user interaction, with high confidentiality and integrity impact and no availability impact.
Defensive priority
High. The flaw is reachable over the network, requires only low privileges, and can expose sensitive message content across user boundaries. CISA’s remediation note identifies version 6.33.11 as the fixed release, so upgrade planning should be treated as urgent for exposed or business-critical deployments.
Recommended defensive actions
- Upgrade to the remediated version identified in the advisory: 6.33.11.
- Review message retrieval and identifier handling for authorization checks; ensure user-scoped access control is enforced server-side.
- Audit logs for unusual cross-user message access patterns around authenticated messaging actions.
- Restrict access to the gateway to trusted networks and authenticated administrative paths where feasible.
- Validate whether any downstream systems cache, forward, or archive messages that could widen exposure from this flaw.
- Track the revised CISA advisory for product/title normalization if you are correlating assets by name.
Evidence notes
All substantive claims are drawn from the CISA CSAF advisory in the provided corpus. The advisory states that OpenCode Systems Custom Messaging Gateway 6.32.2 contains a web access vulnerability allowing one authenticated user to access another authenticated user's messages via a crafted identifier parameter. The same source lists remediation in version 6.33.11 and shows an advisory revision on 2026-04-16. The CVSS vector supplied in the corpus is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N.
Official resources
-
CVE-2025-70614 CVE record
CVE.org
-
CVE-2025-70614 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA’s advisory on 2026-03-26; advisory revised on 2026-04-16 to update title and product information. CISA states the vulnerability was identified on 2026-01-05 and remediated on 2026-01-06 with version 6.33.11.