VYPR
← All advisories
Unrated severityNVD Advisory· Published May 28, 2026

CVE-2026-37579

CVE-2026-37579

Description

An issue in SMSGate sms-core<=2.1.13.6 allows a remote attacker to execute arbitrary code via the Cmpp7FDeliverRequestMessageCodec.java component

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

sms-core ≤2.1.13.6 deserializes untrusted data in CMPP 7F packets, enabling remote code execution via crafted attachment fields.

Vulnerability

An insecure deserialization vulnerability exists in the Cmpp7FDeliverRequestMessageCodec.java component of sms-core (versions ≤2.1.13.6) when processing the CMPP 7F protocol variant. The decode() method (lines 98–107) calls FstObjectSerializeUtil to deserialize the attachment field without any validation or sandboxing, allowing an attacker to supply a malicious serialized object [1]. Only the 7F protocol version is affected; CMPP 2.0 and 3.0 are not impacted [1].

Exploitation

An attacker with network access to the SMS gateway server’s CMPP 7F endpoint can craft a specially formed packet containing a serialized payload in the attachment field. The server’s Cmpp7FDeliverRequestMessageCodec.decode() method passes this data directly to FstObjectSerializeUtil.deserialize(), which executes the attacker’s object graph during deserialization [1]. No authentication or prior interaction is required beyond being able to send a valid CMPP 7F message.

Impact

Successful exploitation yields arbitrary code execution on the target server with the privileges of the sms-core process. The attacker can gain full control over the SMS gateway, including the ability to intercept, modify, or inject SMS messages, exfiltrate sensitive data, and pivot to internal networks [1].

Mitigation

No fixed version of sms-core has been publicly announced as of the disclosure date. Upgrading to a patched release (if/when available) is the recommended action. Until a fix exists, operators should restrict network access to the CMPP 7F endpoint to trusted sources only, or disable CMPP 7F protocol if not required [1].

References
  1. jun.github.io/SMSGate deserialization vulnerability.md at main · wudijun/jun.github.io

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Unvalidated deserialization of attacker-controlled attachment data in Cmpp7FDeliverRequestMessageCodec.decode() using a default FST configuration with no class whitelist."

Attack vector

An attacker sends a crafted TCP packet to the server's CMPP port (default 7890) that conforms to the CMPP 7F Deliver Request message structure [ref_id=1]. The packet includes a malicious FST-serialized object in the attachment field. The Netty pipeline parses the header, routes the message to `Cmpp7FDeliverRequestMessageCodec.decode()` based on command ID 0x00000005, which reads the attachment length and bytes, then calls `FstObjectSerializeUtil.read()` — performing unsafe deserialization that triggers arbitrary code execution [ref_id=1]. No authentication is required beyond valid CMPP credentials if configured, and the attacker fully controls the serialized payload.

Affected code

The vulnerability resides in `Cmpp7FDeliverRequestMessageCodec.decode()` (lines 98-107) which deserializes the attachment field without validation, and in `FstObjectSerializeUtil.read()` (lines 12-16) which uses a default FST configuration with no class whitelist [ref_id=1]. Only the CMPP 7F protocol version (command ID 0x7F) is affected; CMPP 2.0 and 3.0 are not [ref_id=1].

What the fix does

The advisory recommends remediating the vulnerability by implementing input validation on the deserialized data and adding a class whitelist to the FST configuration in `FstObjectSerializeUtil` to restrict which classes can be deserialized [ref_id=1]. No official patch has been published for sms-core versions ≤ 2.1.13.6 as of the advisory's writing [ref_id=1].

Preconditions

  • configServer must be configured to use CMPP 7F protocol version (version field set to 0x7F)
  • networkAttacker must be able to reach the CMPP server port (default 7890) over TCP
  • authIf server requires authentication, attacker needs valid CMPP credentials (username/password)
  • inputAttacker must craft a valid CMPP Deliver Request message with a malicious FST-serialized attachment

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.