CVE-2025-15417 is a vulnerability in Open5GS, an open-source 5G core network implementation widely used for mobile network infrastructure. The flaw exists in the sgwc_s11_handle_create_session_request function within the src/sgwc/s11-handler.c file, specifically in the GTPv2-C F-TEID Handler component responsible for managing the S11 interface signaling between the Mobility Management Entity (MME) and the Serving Gateway Control (SGWC). This vulnerability allows a locally authenticated attacker with low privileges to manipulate the session creation request handling, leading to a denial of service condition. The attack does not require user interaction and does not compromise confidentiality or integrity but impacts availability by potentially crashing or destabilizing the SGWC component, disrupting 5G session management. The vulnerability affects Open5GS versions 2.7.0 through 2.7.6. A patch has been released (commit 465273d13ba5d47b274c38c9d1b07f04859178a1) to fix the issue. Although the exploit code is publicly available, no active exploitation has been reported. The CVSS v4.0 score is 4.8 (medium), reflecting the local attack vector, low complexity, no privileges required beyond local access, and no user interaction. The vulnerability is significant for operators and enterprises deploying Open5GS in their 5G core networks, as denial of service can disrupt mobile connectivity and related services.

For European organizations, this vulnerability poses a risk of service disruption in 5G core network operations where Open5GS is deployed. A successful exploit can cause denial of service in the Serving Gateway Control component, interrupting session management and potentially impacting mobile data and voice services. This can affect telecom operators, private 5G network providers, and enterprises relying on Open5GS for critical communications infrastructure. The disruption could lead to degraded user experience, loss of revenue, and damage to reputation. Given the increasing adoption of 5G networks across Europe, especially in sectors like manufacturing, transportation, and public safety, availability issues could have cascading effects on dependent services and IoT deployments. However, the requirement for local access limits the attack surface primarily to insiders or compromised internal systems, reducing the risk of remote exploitation by external attackers.

European organizations should immediately apply the official patch identified by commit 465273d13ba5d47b274c38c9d1b07f04859178a1 to all affected Open5GS instances running versions 2.7.0 through 2.7.6. Network segmentation and strict access controls should be enforced to limit local access to the SGWC host, minimizing the risk of insider threats or lateral movement by attackers. Monitoring and logging of S11 interface traffic and SGWC process stability should be enhanced to detect anomalous session creation requests or service disruptions. Employing host-based intrusion detection systems (HIDS) and endpoint security solutions can help identify attempts to exploit this vulnerability. Additionally, organizations should review and harden internal network security policies, including multi-factor authentication for administrative access and regular audits of user privileges. Testing the patch in a staging environment before production deployment is recommended to ensure compatibility and stability.