CVE-2025-15156 identifies a null pointer dereference vulnerability in the omec-project User Plane Function (UPF) software, version 2.1.3-dev and earlier. The flaw resides in the function handleSessionEstablishmentRequest within the PFCP Session Establishment Request Handler component, specifically in the file /pfcpiface/pfcpiface/messages_session.go. When processing PFCP (Packet Forwarding Control Protocol) session establishment requests, improper handling of input data can lead to dereferencing a null pointer, causing the UPF process to crash. This vulnerability can be exploited remotely by an unauthenticated attacker without requiring user interaction, as the PFCP interface is network-facing and handles control plane messages for session management in 5G core networks. The impact is primarily a denial of service (DoS), disrupting the UPF's ability to forward user plane traffic, which can degrade or interrupt 5G data services. The vulnerability has a CVSS 4.0 score of 5.3, reflecting medium severity with network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on availability. No patches or fixes have been published yet, and the omec-project maintainers have not responded to the vulnerability report. The availability of a public exploit increases the risk of exploitation in the wild, although no confirmed incidents have been reported to date.

For European organizations, particularly telecom operators and 5G infrastructure providers deploying omec-project UPF version 2.1.3-dev, this vulnerability poses a risk of service disruption through denial of service attacks. The UPF is a critical component in 5G networks responsible for user plane data forwarding; its failure can lead to dropped connections, degraded network performance, and potential cascading effects on dependent services. This can impact mobile broadband users, IoT services, and enterprise connectivity relying on 5G. Given the remote and unauthenticated exploitability, attackers could target vulnerable UPF instances to cause outages or degrade service quality. This is especially concerning for countries with advanced 5G rollouts and operators using open-source or omec-project-based UPF implementations. The lack of a patch and vendor response increases exposure time, necessitating immediate mitigations to maintain network stability and service continuity.

Until an official patch is released, European telecom operators should implement strict network segmentation and access controls to limit exposure of the PFCP interface to trusted management and control plane entities only. Deploy network-level intrusion detection and prevention systems (IDS/IPS) to monitor and block malformed or suspicious PFCP session establishment requests. Employ rate limiting and anomaly detection on PFCP traffic to reduce the risk of DoS exploitation. Regularly audit UPF logs for crash events or unusual session establishment failures indicative of exploitation attempts. Consider deploying redundant UPF instances with failover capabilities to minimize service impact in case of crashes. Engage with the omec-project community to track patch developments and apply updates promptly once available. Additionally, evaluate alternative UPF implementations with active maintenance if risk tolerance is low. Document incident response procedures specific to UPF service disruptions to enable rapid recovery.