CVE-2025-15539 identifies a denial of service vulnerability in Open5GS, an open-source 5G core network software suite widely used by telecom operators and research institutions. The flaw exists in the sgwc_s11_handle_downlink_data_notification_ack function within the sgwc component's s11-handler.c source file. This function handles downlink data notification acknowledgments in the S11 interface, which is critical for communication between the Serving Gateway Control plane (SGWC) and other core network elements. Improper handling or manipulation of input data to this function can cause the service to crash or become unresponsive, resulting in denial of service. The vulnerability can be triggered remotely without requiring any authentication or user interaction, making it accessible to unauthenticated attackers with network access to the affected component. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P) reflects that the attack is network-based, requires low attack complexity, no privileges, and no user interaction, with limited impact on availability. The issue has been publicly disclosed, and a patch is available under commit b4707272c1caf6a7d4dca905694ea55557a0545f. Open5GS versions 2.7.0 through 2.7.6 are affected, and users should upgrade to a patched version to remediate the vulnerability. No known exploits in the wild have been reported yet, but the public disclosure increases the risk of exploitation attempts.

The primary impact of CVE-2025-15539 is denial of service, which affects the availability of the Open5GS 5G core network component. Disruption of the SGWC function can lead to interruption of critical 5G core network services, including session management and data forwarding for mobile subscribers. This can result in degraded network performance, dropped connections, and service outages for end users relying on the affected network. Telecom operators and service providers using Open5GS in production environments may experience partial or full service disruption, impacting customer experience and potentially causing financial and reputational damage. Given the role of Open5GS in 5G infrastructure, this vulnerability could also affect IoT services, enterprise connectivity, and public safety communications that depend on stable 5G networks. Although the vulnerability does not impact confidentiality or integrity, the availability impact is significant for network operators. The ease of remote exploitation without authentication increases the threat level, especially in environments where the vulnerable component is exposed to untrusted networks.

To mitigate CVE-2025-15539, organizations should immediately apply the official patch provided by the Open5GS project, identified by commit b4707272c1caf6a7d4dca905694ea55557a0545f, or upgrade to a fixed version beyond 2.7.6. Network segmentation should be enforced to restrict access to the SGWC S11 interface, limiting exposure to untrusted networks and reducing the attack surface. Deploying intrusion detection and prevention systems (IDS/IPS) with signatures tuned to detect anomalous or malformed S11 messages can help identify and block exploitation attempts. Monitoring logs and network traffic for unusual patterns related to downlink data notification acknowledgments is recommended. Operators should implement rate limiting on control plane interfaces to mitigate potential flooding attacks. Regular vulnerability scanning and penetration testing of the 5G core network components can help identify residual risks. Finally, maintaining an up-to-date inventory of Open5GS deployments and ensuring timely patch management processes are critical to reduce exposure to this and future vulnerabilities.