HIGH 7.3

CVE-2026-37579

SMSGate sms-core versions 2.1.13.6 and earlier contain a remote code execution vulnerability in the CMPP7 message handling component. An unauthenticated attacker on the network can exploit this flaw to execute arbitrary code on affected systems without any user interaction, potentially gaining full control of the SMS gateway infrastructure.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-502
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

An issue in SMSGate sms-core<=2.1.13.6 allows a remote attacker to execute arbitrary code via the Cmpp7FDeliverRequestMessageCodec.java component

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the Cmpp7FDeliverRequestMessageCodec.java component of SMSGate sms-core and involves unsafe deserialization of CMPP7 protocol messages (CWE-502). The flaw allows remote code execution when a specially crafted CMPP7 deliver request message is processed. The network-accessible nature of SMS gateway services, combined with the absence of authentication requirements to trigger the vulnerability, creates a direct path for remote exploitation.

Business impact

SMS gateways are critical infrastructure for transactional messaging, two-factor authentication delivery, and business communications. Compromise of an SMS gateway through this vulnerability could enable attackers to intercept legitimate SMS messages, inject fraudulent messages, disrupt authentication flows for customer accounts, or use the compromised gateway as a pivot point into broader telecommunications infrastructure. For organizations relying on SMS for security-critical functions, this represents a significant operational and security risk.

Affected systems

SMSGate sms-core versions 2.1.13.6 and earlier are affected. Organizations should verify their exact SMSGate deployment version against the vendor advisory to determine if their instances fall within the vulnerable range. The vulnerability applies to any system running a susceptible version and exposed to network-based CMPP7 message traffic.

Exploitability

This vulnerability is readily exploitable. The attack requires no authentication, no special privileges, and no user interaction. An attacker with network access to the SMS gateway (whether internal or via direct internet exposure) can send a malicious CMPP7 message to trigger arbitrary code execution. The CVSS score of 7.3 (HIGH) reflects the combination of network accessibility, low attack complexity, and significant impact on confidentiality, integrity, and availability.

Remediation

Upgrade SMSGate sms-core to a patched version beyond 2.1.13.6. Verify the specific patch version through the vendor advisory and test in a non-production environment before deployment. As an interim measure, restrict network access to SMS gateway services using firewall rules to limit CMPP7 traffic to trusted peer systems only.

Patch guidance

Contact SMSGate or check their official advisory for the minimum patched version that addresses CVE-2026-37579. Apply patches during a maintenance window when SMS gateway downtime is acceptable. Verify patch installation by confirming the version number post-update and by testing CMPP7 message processing with benign traffic. Document the patch date and version for compliance and audit purposes.

Detection guidance

Monitor for unusual CMPP7 message patterns or malformed deliver request messages sent to the SMS gateway. Implement network-based intrusion detection signatures targeting CVE-2026-37579 exploitation attempts if available from your IDS vendor. Review SMS gateway logs for unexpected process execution, failed message parsing errors, or anomalous system behavior correlated with incoming CMPP7 traffic. Consider deploying Web Application Firewalls or protocol analyzers at the SMS gateway perimeter to validate CMPP7 message structure before processing.

Why prioritize this

This vulnerability merits immediate attention due to its HIGH severity, unauthenticated remote code execution capability, and the critical nature of SMS gateway services in security and business operations. The absence of authentication requirements, network accessibility, and straightforward exploitability make this a prime target for both opportunistic and sophisticated threat actors. Organizations should prioritize patching or mitigating this vulnerability ahead of other medium-severity issues.

Risk score, explained

The CVSS 3.1 score of 7.3 reflects: network-based attack vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction (UI:N), and impact to confidentiality, integrity, and availability (C:L/I:L/A:L). While the scope is unchanged, the combination of easy accessibility and code execution capability elevates this to HIGH severity. Organizations with internet-facing or internally networked SMS gateways face substantial risk.

Frequently asked questions

Is there a public exploit available for CVE-2026-37579?

The vulnerability description does not indicate active public exploitation or a documented proof-of-concept at the time of publication. However, given the straightforward nature of remote code execution vulnerabilities, treat this as potentially exploitable and prioritize patching immediately rather than waiting for exploit disclosure.

Do we need to patch immediately if our SMS gateway is behind a firewall?

Yes. While network segmentation provides a layer of defense, it is not a substitute for patching. Insider threats, compromised internal systems, or misconfigured firewall rules could allow attackers to reach your SMS gateway. Additionally, if your gateway processes CMPP7 traffic from external partners or cloud services, the risk remains. Patch as soon as feasible during a maintenance window.

How do I verify if my SMSGate version is vulnerable?

Check your SMSGate sms-core version number in the application configuration or logs. If it is 2.1.13.6 or earlier, you are affected. Cross-reference your version against the official SMSGate vendor advisory to confirm the patched version and upgrade path for your specific deployment.

What should we do while waiting for a patch to be tested and deployed?

Immediately restrict network access to your SMS gateway using firewall rules to allow only trusted CMPP7 peers. Implement network monitoring to detect suspicious CMPP7 traffic patterns. Increase logging of message processing events. If the gateway is internet-facing, consider temporarily taking it offline or moving it behind a VPN with strict access controls until the patch is applied and validated.

This analysis is provided for informational purposes to support security decision-making. While based on the published CVE record and CVSS assessment, specific patch versions, vendor advisories, and affected product variants should be verified directly with SMSGate and your vendor before making remediation decisions. No exploit code or weaponized proof-of-concepts are provided. Organizations should consult their incident response and change management procedures before implementing patches in production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Weaknesses (CWE)

Related vulnerabilities

  • CVE-2025-11993HIGH

    CVE-2025-11993: WooCommerce Infinite Scroll Plugin PHP Object Injection – HIGH Severity

  • CVE-2026-24221HIGH

    CVE-2026-24221: NVIDIA NVTabular Deserialization Vulnerability – Patch & Detection Guide

  • CVE-2026-24237HIGH

    CVE-2026-24237 NVIDIA NVTabular Deserialization Remote Code Execution Vulnerability

  • CVE-2026-25551HIGH

    CVE-2026-25551: BarTender 2021–12.0.1 Insecure Deserialization Privilege Escalation

  • CVE-2026-38950HIGH

    CVE-2026-38950: ESA AnomalyMatch Arbitrary Code Execution via Unsafe PyTorch Deserialization

  • CVE-2026-39550HIGH

    CVE-2026-39550: Aperitif Theme Remote Code Execution via Object Injection

  • CVE-2026-39551HIGH

    CVE-2026-39551: Töbel Deserialization Remote Code Execution Vulnerability

  • CVE-2026-39555HIGH

    CVE-2026-39555: Askka Plugin Object Injection Deserialization Vulnerability (CVSS 8.1)