Skip to main content

SMSGate sms-core CVE-2026-37579

HIGH
Deserialization of Untrusted Data (CWE-502)
2026-05-28 cve@mitre.org
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
May 29, 2026 - 22:30 vuln.today
CVSS changed
May 29, 2026 - 20:22 NVD
7.3 (HIGH)
CVE Published
May 28, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

An issue in SMSGate sms-core<=2.1.13.6 allows a remote attacker to execute arbitrary code via the Cmpp7FDeliverRequestMessageCodec.java component

AnalysisAI

Remote code execution in SMSGate sms-core versions 2.1.13.6 and earlier allows remote attackers to execute arbitrary code by sending crafted input to the Cmpp7FDeliverRequestMessageCodec.java component, which handles CMPP protocol message decoding. The CVSS 7.3 (AV:N/AC:L/PR:N/UI:N) vector indicates network-reachable, unauthenticated exploitation with low complexity, though EPSS scores this at only 0.06% (18th percentile) and there is no public exploit identified at time of analysis. SSVC indicates exploitation status is 'none' but the issue is automatable with partial technical impact across CIA.

Technical ContextAI

SMSGate is a Java-based SMS gateway implementation, and sms-core is the underlying library that handles the China Mobile Peer to Peer (CMPP) short-message protocol used by Chinese telecom carriers. The vulnerable Cmpp7FDeliverRequestMessageCodec.java class is a codec responsible for decoding inbound CMPP DELIVER (0x7F-family) message frames from network peers. The referenced advisory describes a deserialization vulnerability, consistent with the 'RCE' and 'Java' tags - a classic pattern where untrusted protocol input is passed to Java object deserialization (e.g., ObjectInputStream or a similar mechanism) without type validation, enabling gadget-chain-based arbitrary code execution. No CWE was assigned by NVD, but the behavior is consistent with CWE-502 (Deserialization of Untrusted Data).

Affected ProductsAI

SMSGate sms-core library at versions 2.1.13.6 and earlier are affected, specifically the Cmpp7FDeliverRequestMessageCodec.java component that processes CMPP DELIVER protocol messages. No official CPE has been published by NVD at time of analysis, and no vendor security advisory URL is provided - the sole reference is a third-party write-up at https://github.com/wudijun/jun.github.io/blob/main/SMSGate%20deserialization%20vulnerability.md which security teams should consult for technical details.

RemediationAI

No vendor-released patch identified at time of analysis; the only public reference is a third-party technical write-up rather than a vendor advisory or tagged release. Organizations running SMSGate sms-core should monitor the upstream project for a release beyond 2.1.13.6 and apply it as soon as available, consulting https://github.com/wudijun/jun.github.io/blob/main/SMSGate%20deserialization%20vulnerability.md for indicators. As compensating controls, restrict inbound CMPP connections to an allowlist of trusted carrier ISMG peer IP addresses at the firewall (trade-off: breaks any new peer onboarding until the allowlist is updated), terminate CMPP traffic through an authenticated reverse proxy or VPN that validates peer identity before it reaches the codec (trade-off: adds latency and operational complexity), and if the deserialization path uses standard Java ObjectInputStream, deploy a JVM-level deserialization allowlist via the jdk.serialFilter system property to block known gadget classes such as those from commons-collections, commons-beanutils, and Spring (trade-off: may break legitimate serialized payloads and requires careful filter tuning).

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-37579 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy