CVE-2025-29339 is a high-severity vulnerability affecting the User Plane Function (UPF) component of Open5GS, an open-source implementation of 5G core network functions. Specifically, the vulnerability arises in UPF versions up to v2.7.2 during the processing of PFCP (Packet Forwarding Control Protocol) Session Establishment Requests. When the UPF receives a PFCP Session Establishment Request containing an invalid PDN (Packet Data Network) Type value of 0, it fails to properly validate this parameter. This improper validation triggers an assertion failure within the UPF, causing the daemon process to crash. The invalid PDN Type value can be propagated either from the Session Management Function (SMF) or introduced via a direct attack against the UPF. The root cause is a lack of robust input validation leading to a fatal assertion check failure (classified under CWE-617: Reachable Assertion). The vulnerability does not impact confidentiality or integrity directly but results in a denial of service (DoS) condition by crashing the UPF daemon, thereby disrupting user plane data forwarding in the 5G core network. The CVSS v3.1 base score is 7.5 (High), with attack vector Network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality or integrity impact (C:N/I:N), and high availability impact (A:H). No known exploits in the wild have been reported to date, and no official patches have been linked yet. The vulnerability is reserved as of March 11, 2025, and published on April 22, 2025. Given the critical role of UPF in 5G networks for data forwarding, this vulnerability could be exploited remotely to cause service disruption in affected deployments.

For European organizations, particularly telecom operators and service providers deploying Open5GS UPF in their 5G core networks, this vulnerability poses a significant risk of service disruption. A successful exploitation results in a denial of service on the UPF, which can interrupt user data traffic, degrade network performance, and potentially impact large numbers of subscribers. This could lead to customer dissatisfaction, regulatory scrutiny, and financial losses. Enterprises relying on private 5G networks using Open5GS could also experience operational interruptions. The disruption of UPF services may affect critical infrastructure sectors that depend on 5G connectivity, such as manufacturing, transportation, and healthcare. Given the increasing adoption of 5G and open-source core network components in Europe, the vulnerability could have widespread operational impact if exploited. However, since no confidentiality or integrity impact is present, data breaches or unauthorized data manipulation are not immediate concerns. The lack of required privileges or user interaction means attackers can remotely trigger the crash, increasing the threat level. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks.

1. Immediate monitoring of UPF daemon stability and logs for unexpected crashes or assertion failures related to PFCP session establishment requests is critical. 2. Implement network-level filtering to restrict and validate PFCP traffic sources, ensuring only trusted SMF entities can send session establishment requests to the UPF. 3. Deploy anomaly detection systems to identify malformed or suspicious PFCP messages, particularly those with invalid PDN Type values. 4. Engage with the Open5GS community and vendors to obtain and apply patches or updates addressing this vulnerability as soon as they become available. 5. Consider implementing redundancy and failover mechanisms for UPF instances to minimize service disruption in case of crashes. 6. Conduct thorough testing of UPF components in controlled environments with malformed PFCP messages to assess resilience and prepare incident response plans. 7. Limit exposure of UPF management and control interfaces to untrusted networks to reduce attack surface. 8. For organizations using custom or modified Open5GS deployments, review and harden PFCP parameter validation logic to prevent assertion failures. These steps go beyond generic advice by focusing on protocol-specific filtering, monitoring, and community engagement tailored to the unique characteristics of this vulnerability.