CVE-2025-14955 is a vulnerability identified in Open5GS, an open-source 5G core network software, affecting versions 2.7.0 through 2.7.5. The issue resides in the PFCP (Packet Forwarding Control Protocol) component, specifically within the function ogs_pfcp_handle_create_pdr located in lib/pfcp/handler.c. The vulnerability stems from improper initialization during the handling of PFCP Create PDR (Packet Detection Rule) messages. This improper initialization can lead to undefined behavior, potentially causing partial disruption or degradation of the PFCP session management. The vulnerability can be exploited remotely without requiring authentication or user interaction, but the attack complexity is high, indicating that exploitation requires significant expertise or specific conditions. The CVSS v4.0 base score is 6.3 (medium severity), reflecting limited impact on confidentiality, integrity, and availability, and no privileges or user interaction needed. Although no known exploits are currently observed in the wild, exploit code has been publicly disclosed, increasing the risk of future attacks. The patch identified by commit 773117aa5472af26fc9f80e608d3386504c3bdb7 addresses the improper initialization flaw and should be applied to all affected Open5GS deployments to prevent exploitation. Given Open5GS’s role in 5G core network infrastructure, this vulnerability could impact the reliability and security of 5G services if exploited.

For European organizations, especially telecom operators and network infrastructure providers deploying Open5GS as part of their 5G core networks, this vulnerability poses a risk to the stability and security of critical communications infrastructure. Exploitation could lead to partial disruption or degradation of PFCP session management, potentially affecting data forwarding and session continuity. While the impact on confidentiality and integrity is limited, availability could be affected, leading to service interruptions or degraded network performance. This could have downstream effects on enterprises and consumers relying on 5G connectivity for critical applications. The medium severity and high attack complexity reduce immediate risk, but the public availability of exploit code increases the urgency for patching. European telecom providers operating in competitive and regulated markets must ensure compliance with security standards and protect infrastructure from emerging threats. Failure to patch could also expose organizations to regulatory penalties under frameworks like the NIS Directive and GDPR if service disruptions impact data processing or availability.

European organizations should prioritize the following specific mitigation steps: 1) Immediately apply the official patch (commit 773117aa5472af26fc9f80e608d3386504c3bdb7) to all Open5GS instances running versions 2.7.0 through 2.7.5 to remediate the improper initialization vulnerability. 2) Conduct thorough testing in staging environments to ensure patch compatibility with existing network configurations and services. 3) Implement network segmentation and strict access controls to limit exposure of PFCP interfaces to trusted management networks only, reducing the attack surface. 4) Monitor PFCP traffic for anomalous or malformed Create PDR messages that could indicate exploitation attempts. 5) Maintain up-to-date threat intelligence feeds and subscribe to vulnerability advisories related to Open5GS and 5G core components. 6) Develop incident response plans specifically addressing 5G core network threats, including this vulnerability. 7) Engage with vendors and open-source communities for ongoing security updates and best practices. 8) Where possible, deploy additional runtime protections such as memory safety tools or application-layer firewalls to detect and block malformed PFCP messages. These targeted actions go beyond generic patching and help strengthen the overall security posture of 5G core network deployments.