CVE-2025-15539 is a denial of service vulnerability identified in Open5GS, an open-source 5G core network implementation widely used for mobile network infrastructure. The flaw resides in the sgwc_s11_handle_downlink_data_notification_ack function of the sgwc component, specifically in the handling of downlink data notification acknowledgments over the S11 interface. This vulnerability allows a remote attacker to send specially crafted messages that cause the affected function to malfunction, leading to a denial of service condition. The attack requires no authentication or user interaction, making it remotely exploitable over the network. The vulnerability affects Open5GS versions 2.7.0 through 2.7.6. The CVSS 4.0 base score is 6.9, reflecting a medium severity with network attack vector, low attack complexity, and no privileges or user interaction required. The vulnerability has been publicly disclosed, and a patch identified by commit b4707272c1caf6a7d4dca905694ea55557a0545f is available to remediate the issue. No known exploits have been observed in the wild yet, but the public disclosure increases the risk of exploitation attempts. This vulnerability could disrupt 5G core network operations, impacting service continuity and availability of mobile network services relying on Open5GS.

For European organizations, especially telecom operators and infrastructure providers deploying Open5GS in their 5G core networks, this vulnerability poses a risk of service disruption. A successful denial of service attack could interrupt mobile data sessions, degrade network performance, or cause outages affecting end users and enterprise customers. This can lead to reputational damage, regulatory scrutiny under GDPR and telecom regulations, and potential financial losses due to service downtime. Critical infrastructure relying on 5G connectivity, such as emergency services, IoT deployments, and industrial automation, could also be indirectly impacted. The medium severity indicates that while the vulnerability is not catastrophic, the ease of remote exploitation without authentication makes it a significant operational risk. The absence of known exploits in the wild currently reduces immediate threat but does not eliminate the risk, especially given the public disclosure.

European organizations should immediately verify their Open5GS deployments and identify if versions 2.7.0 through 2.7.6 are in use. The primary mitigation is to apply the official patch referenced by commit b4707272c1caf6a7d4dca905694ea55557a0545f to upgrade to a fixed version. Network operators should also implement strict network segmentation and firewall rules to restrict access to the S11 interface, limiting exposure to untrusted networks. Continuous monitoring of sgwc logs and network traffic for anomalous downlink data notification acknowledgments can help detect exploitation attempts. Employing intrusion detection/prevention systems (IDS/IPS) tuned for 5G core protocols may provide additional defense. Regular vulnerability scanning and penetration testing focused on 5G core components are recommended to identify residual risks. Finally, maintaining an incident response plan tailored to telecom infrastructure will help mitigate impact if exploitation occurs.