SMSGate sms-core CVE-2026-37579
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
An issue in SMSGate sms-core<=2.1.13.6 allows a remote attacker to execute arbitrary code via the Cmpp7FDeliverRequestMessageCodec.java component
AnalysisAI
Remote code execution in SMSGate sms-core versions 2.1.13.6 and earlier allows remote attackers to execute arbitrary code by sending crafted input to the Cmpp7FDeliverRequestMessageCodec.java component, which handles CMPP protocol message decoding. The CVSS 7.3 (AV:N/AC:L/PR:N/UI:N) vector indicates network-reachable, unauthenticated exploitation with low complexity, though EPSS scores this at only 0.06% (18th percentile) and there is no public exploit identified at time of analysis. SSVC indicates exploitation status is 'none' but the issue is automatable with partial technical impact across CIA.
Technical ContextAI
SMSGate is a Java-based SMS gateway implementation, and sms-core is the underlying library that handles the China Mobile Peer to Peer (CMPP) short-message protocol used by Chinese telecom carriers. The vulnerable Cmpp7FDeliverRequestMessageCodec.java class is a codec responsible for decoding inbound CMPP DELIVER (0x7F-family) message frames from network peers. The referenced advisory describes a deserialization vulnerability, consistent with the 'RCE' and 'Java' tags - a classic pattern where untrusted protocol input is passed to Java object deserialization (e.g., ObjectInputStream or a similar mechanism) without type validation, enabling gadget-chain-based arbitrary code execution. No CWE was assigned by NVD, but the behavior is consistent with CWE-502 (Deserialization of Untrusted Data).
Affected ProductsAI
SMSGate sms-core library at versions 2.1.13.6 and earlier are affected, specifically the Cmpp7FDeliverRequestMessageCodec.java component that processes CMPP DELIVER protocol messages. No official CPE has been published by NVD at time of analysis, and no vendor security advisory URL is provided - the sole reference is a third-party write-up at https://github.com/wudijun/jun.github.io/blob/main/SMSGate%20deserialization%20vulnerability.md which security teams should consult for technical details.
RemediationAI
No vendor-released patch identified at time of analysis; the only public reference is a third-party technical write-up rather than a vendor advisory or tagged release. Organizations running SMSGate sms-core should monitor the upstream project for a release beyond 2.1.13.6 and apply it as soon as available, consulting https://github.com/wudijun/jun.github.io/blob/main/SMSGate%20deserialization%20vulnerability.md for indicators. As compensating controls, restrict inbound CMPP connections to an allowlist of trusted carrier ISMG peer IP addresses at the firewall (trade-off: breaks any new peer onboarding until the allowlist is updated), terminate CMPP traffic through an authenticated reverse proxy or VPN that validates peer identity before it reaches the codec (trade-off: adds latency and operational complexity), and if the deserialization path uses standard Java ObjectInputStream, deploy a JVM-level deserialization allowlist via the jdk.serialFilter system property to block known gadget classes such as those from commons-collections, commons-beanutils, and Spring (trade-off: may break legitimate serialized payloads and requires careful filter tuning).
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-502 – Deserialization of Untrusted Data
View allShare
External POC / Exploit Code
Leaving vuln.today