Based on the description, it is inferred that an attacker does not need authentication to trigger arbitrary code execution by sending crafted data to the Cmpp7FDeliverRequestMessageCodec component within SMSGate sms-core. The flaw is a deserialization vulnerability that allows execution of malicious byte streams, giving the attacker full control over the affected host. The weakness is a classic instance of deserializing untrusted data, a high‑severity class of bugs that compromise confidentiality, integrity, and availability of the system.

The vulnerability exists in SMSGate sms-core versions 2.1.13.6 and earlier. No vendor name is provided, but any deployment of the affected sms-core library is susceptible.

The vulnerability is remotely exploitable and requires the ability to inject data into the vulnerable component. No EPSS score is published and the issue is not listed in CISA’s KEV catalog, yet the potential for full system compromise makes it highly dangerous. Post‑exploit privileges would depend on the service account under which the component runs, but given the unrestricted nature of the code execution path, privilege escalation is a clear risk.