CVE-2025-15539 is a denial of service vulnerability identified in Open5GS, an open-source 5G core network implementation widely used for 5G mobile network infrastructure. The flaw exists in the sgwc_s11_handle_downlink_data_notification_ack function within the sgwc component, specifically in the file src/sgwc/s11-handler.c. This function handles downlink data notification acknowledgments on the S11 interface, which is critical for communication between the Serving Gateway Control plane (SGWC) and the Mobility Management Entity (MME) or Access and Mobility Management Function (AMF) in 5G networks. Due to improper handling of certain inputs, an attacker can remotely trigger a denial of service condition, causing the affected component to crash or become unresponsive, thereby disrupting the 5G core network's ability to process downlink data notifications. The vulnerability requires no authentication or user interaction, increasing its risk profile. The CVSS 4.0 score of 6.9 reflects a medium severity, with a network attack vector, low attack complexity, and no privileges or user interaction required. The issue has been publicly disclosed, and a patch has been issued (commit b4707272c1caf6a7d4dca905694ea55557a0545f) to fix the vulnerability. While no known exploits are currently observed in the wild, the public disclosure means attackers could develop exploits, making timely patching critical. This vulnerability primarily impacts organizations deploying Open5GS for 5G core network functions, potentially causing service outages and impacting network reliability.

For European organizations, particularly telecom operators and infrastructure providers deploying Open5GS in their 5G core networks, this vulnerability poses a significant risk to network availability. A successful denial of service attack could disrupt the processing of downlink data notifications, leading to partial or complete service outages for mobile subscribers. This disruption can affect critical communications, emergency services, and enterprise connectivity relying on 5G networks. Given the increasing reliance on 5G for digital transformation, IoT, and critical infrastructure, such outages could have cascading effects on business operations and public safety. Additionally, the remote and unauthenticated nature of the vulnerability means attackers can exploit it without insider access, increasing the threat landscape. European organizations may also face reputational damage and regulatory scrutiny if service disruptions occur. The impact is magnified in countries with advanced 5G deployments and where Open5GS is used as a cost-effective or open-source core network solution.

European organizations should immediately assess their 5G core network deployments to identify Open5GS versions 2.7.0 through 2.7.6 in use. The primary mitigation is to apply the official patch (commit b4707272c1caf6a7d4dca905694ea55557a0545f) provided by the Open5GS project to remediate the vulnerability. Network operators should also implement robust network segmentation and firewall rules to restrict access to the S11 interface, limiting exposure to untrusted networks. Continuous monitoring of network traffic for anomalies related to downlink data notifications can help detect attempted exploitation. Employing rate limiting and anomaly detection on the S11 interface may reduce the risk of DoS attacks. Operators should maintain up-to-date inventories of network components and ensure timely patch management processes are in place. Coordination with national cybersecurity agencies and telecom regulators can provide additional threat intelligence and support. Finally, contingency plans for rapid incident response and service restoration should be reviewed and tested.