CVE-2025-15530 is a vulnerability identified in Open5GS, an open-source 5G core network implementation widely used for mobile network infrastructure. The flaw exists in the sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request function within the s11-handler.c source file. This function handles the creation of indirect data forwarding tunnels, a critical operation in the 5G core's Serving Gateway Control (SGWC) component. The vulnerability manifests as a reachable assertion failure triggered by crafted remote inputs, which can cause the process to terminate unexpectedly, leading to denial of service (DoS). The attack vector is network-based, requiring no authentication or user interaction, making it highly accessible to remote attackers. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation and the impact limited primarily to availability. The vulnerability was publicly disclosed shortly after discovery, with patches released to address the issue in versions beyond 2.7.6. No active exploitation has been reported, but the public availability of exploit details increases the risk of future attacks. The vulnerability affects all Open5GS versions from 2.7.0 through 2.7.6, which are commonly deployed in 5G core networks, especially in cost-sensitive or experimental environments. The reachable assertion failure could disrupt mobile data services by crashing the SGWC process, impacting subscriber connectivity and network reliability.

For European organizations, especially telecom operators and mobile network providers deploying Open5GS as part of their 5G core infrastructure, this vulnerability poses a significant risk to network availability. A successful exploitation could lead to denial of service conditions, causing service interruptions for end-users and potentially impacting critical communications. This could degrade customer experience, lead to regulatory non-compliance due to service outages, and damage the operator's reputation. Given the central role of the SGWC in managing data forwarding tunnels, repeated crashes could destabilize the network core, affecting multiple subscribers simultaneously. Additionally, the vulnerability could be leveraged as part of a broader attack campaign targeting telecom infrastructure, which is strategically important in Europe. The medium severity rating indicates that while confidentiality and integrity are not directly impacted, availability disruptions in telecom networks can have cascading effects on emergency services, business operations, and public safety communications.

European telecom operators should immediately upgrade Open5GS deployments to versions later than 2.7.6 where the vulnerability is fixed. Until patching is complete, network administrators should implement strict filtering and monitoring on the S11 interface to detect and block malformed or suspicious Create Indirect Data Forwarding Tunnel requests. Deploying anomaly detection systems that can identify unusual patterns in tunnel creation requests will help in early detection of exploitation attempts. Operators should also conduct thorough audits of their Open5GS configurations and logs to identify any signs of attempted exploitation. Implementing redundancy and failover mechanisms for the SGWC component can minimize service disruption in case of crashes. Coordination with national cybersecurity agencies and sharing threat intelligence related to this vulnerability can enhance preparedness. Finally, operators should review and update incident response plans to address potential denial of service scenarios stemming from this vulnerability.