How is CVE-2026-37579 exploited?

Network reachability (required): The attacker must reach the SMSGate sms-core service over the network; the component is exposed via a network-accessible interface (AV:N). Authentication (not-required): No credentials or account of any privilege level are needed to trigger the vulnerable code path (PR:N). Victim interaction (not-required): Exploitation is fully attacker-driven and requires no action from any user or operator on the target system (UI:N). Attack complexity (info): The exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements (AC:L).

What is the impact of CVE-2026-37579?

Attacker executes arbitrary code in the context of the process running sms-core, gaining control over that process. Confidential data accessible to the process, such as stored messages or credentials, can be read. Attacker can write or modify data handled by the service, including message queues or configuration files. The running service can be crashed or rendered unavailable, disrupting SMS gateway operations.

Back to search

HIGHCVE-2026-37579Published 2026-05-28Modified 2026-05-29CNA mitre

CVE-2026-37579: An issue in SMSGate sms-core<=2

Q: What is CVE-2026-37579?

Remote code execution via a vulnerable message codec component in SMSGate sms-core versions 2.1.13.6 and earlier. The vulnerability is reachable over the network without any authentication or user interaction, making it exploitable by any attacker who can reach the service. Successful exploitation allows the attacker to execute arbitrary code on the host running the affected component. No fix version has been published yet; HarborGuard tracks the advisory for patch availability.

Q: Is CVE-2026-37579 patched?

Because no fix version has been published upstream, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, customers can apply compensating controls such as network-policy isolation to restrict access to the affected service.

An issue in SMSGate sms-core<=2.1.13.6 allows a remote attacker to execute arbitrary code via the Cmpp7FDeliverRequestMessageCodec.java component

HarborGuard Analysis

HarborGuard analysis

Synopsis

Remote code execution via a vulnerable message codec component in SMSGate sms-core versions 2.1.13.6 and earlier. The vulnerability is reachable over the network without any authentication or user interaction, making it exploitable by any attacker who can reach the service. Successful exploitation allows the attacker to execute arbitrary code on the host running the affected component. No fix version has been published yet; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle sms-core directly.

Available

Triage

HarborGuard scores this finding at CVSS 7.3 (High) and weights it against each environment's compliance policy to determine urgency and routing, directing the alert to the appropriate team inbox within each customer organization.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, customers can apply compensating controls such as network-policy isolation to restrict access to the affected service.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the SMSGate sms-core service over the network; the component is exposed via a network-accessible interface (AV:N).
AuthenticationNot required
No credentials or account of any privilege level are needed to trigger the vulnerable code path (PR:N).
Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from any user or operator on the target system (UI:N).
Attack complexityDetail
The exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements (AC:L).

Blast Radius

Attacker executes arbitrary code in the context of the process running sms-core, gaining control over that process.
Confidential data accessible to the process, such as stored messages or credentials, can be read.
Attacker can write or modify data handled by the service, including message queues or configuration files.
The running service can be crashed or rendered unavailable, disrupting SMS gateway operations.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against all scanned images within minutes of ingestion, covering any image that bundles SMSGate sms-core at or below version 2.1.13.6. Because no upstream fix exists at this time, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment a fix version is published; customers with auto-remediation enabled will then receive a rebuild, a regression-test run, and a pull request opened against affected workloads without manual intervention. While no patch is available, customers are advised to apply network-policy rules that restrict inbound access to the sms-core service to trusted sources only, and to consider egress filtering to limit what the process can reach if compromised.

See how HarborGuard automates this

CVSS v3.1: 7.3
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

github.com