CVE-2025-29646: n/a
An issue in upf in open5gs 2.7.2 and earlier allows a remote attacker to cause a Denial of Service via a crafted PFCP SessionEstablishmentRequest packet with restoration indication = true and (teid = 0 or teid >= ogs_pfcp_pdr_teid_pool.size).
AI Analysis
Technical Summary
CVE-2025-29646 is a vulnerability identified in the User Plane Function (UPF) component of Open5GS, an open-source 5G core network implementation widely used for research, development, and some production environments. The vulnerability affects Open5GS version 2.7.2 and earlier. It arises from improper handling of PFCP (Packet Forwarding Control Protocol) SessionEstablishmentRequest packets. Specifically, when a remote attacker sends a crafted PFCP SessionEstablishmentRequest with the restoration indication flag set to true and the TEID (Tunnel Endpoint Identifier) set to either zero or a value equal to or exceeding the size of the internal TEID pool (ogs_pfcp_pdr_teid_pool.size), the UPF component can be forced into a Denial of Service (DoS) state. This occurs because the system likely attempts to access or allocate resources using invalid TEID values, leading to crashes or resource exhaustion. The vulnerability does not require authentication or prior access to the network, as the PFCP protocol is used for control plane signaling between UPF and SMF (Session Management Function), and such packets can be sent remotely if the attacker can reach the UPF's control interface. There is no indication that user interaction is needed, and no known exploits are reported in the wild as of the publication date. However, the impact is significant due to the critical role of UPF in 5G networks, where it handles user data forwarding and session management. A successful DoS attack could disrupt data traffic for multiple subscribers, causing service outages and degradation of network reliability.
Potential Impact
For European organizations, especially telecom operators and enterprises deploying private 5G networks, this vulnerability poses a substantial risk. The UPF is a core component responsible for forwarding user data in 5G networks; a DoS condition here can lead to widespread service disruption, affecting voice, data, and IoT communications. This can impact critical infrastructure, emergency services, and commercial operations relying on 5G connectivity. Additionally, the disruption could have cascading effects on dependent services such as edge computing and network slicing. Given the increasing adoption of 5G across Europe, including in sectors like manufacturing, transportation, and healthcare, the potential for operational and financial damage is high. Furthermore, the inability to process legitimate PFCP session establishment requests could degrade network performance and customer experience, leading to reputational damage for service providers.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Upgrade Open5GS to a version where this vulnerability is patched once available. Since no patch links are currently provided, organizations should monitor Open5GS repositories and security advisories closely. 2) Implement strict network segmentation and access controls to restrict PFCP control plane traffic to trusted SMF nodes only, minimizing exposure to unauthorized entities. 3) Deploy deep packet inspection (DPI) or protocol-aware firewalls to detect and block malformed PFCP packets, especially those with suspicious TEID values or restoration indication flags. 4) Monitor UPF logs and network telemetry for abnormal PFCP session establishment requests or repeated failures that may indicate exploitation attempts. 5) Consider rate limiting PFCP requests and implementing anomaly detection systems to identify and mitigate potential DoS attacks early. 6) Engage with vendors and open-source communities to contribute to or expedite the development of patches and share threat intelligence. These steps go beyond generic advice by focusing on protocol-specific controls and proactive monitoring tailored to the nature of the vulnerability.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Sweden, Finland, Poland, Belgium
CVE-2025-29646: n/a
Description
An issue in upf in open5gs 2.7.2 and earlier allows a remote attacker to cause a Denial of Service via a crafted PFCP SessionEstablishmentRequest packet with restoration indication = true and (teid = 0 or teid >= ogs_pfcp_pdr_teid_pool.size).
AI-Powered Analysis
Technical Analysis
CVE-2025-29646 is a vulnerability identified in the User Plane Function (UPF) component of Open5GS, an open-source 5G core network implementation widely used for research, development, and some production environments. The vulnerability affects Open5GS version 2.7.2 and earlier. It arises from improper handling of PFCP (Packet Forwarding Control Protocol) SessionEstablishmentRequest packets. Specifically, when a remote attacker sends a crafted PFCP SessionEstablishmentRequest with the restoration indication flag set to true and the TEID (Tunnel Endpoint Identifier) set to either zero or a value equal to or exceeding the size of the internal TEID pool (ogs_pfcp_pdr_teid_pool.size), the UPF component can be forced into a Denial of Service (DoS) state. This occurs because the system likely attempts to access or allocate resources using invalid TEID values, leading to crashes or resource exhaustion. The vulnerability does not require authentication or prior access to the network, as the PFCP protocol is used for control plane signaling between UPF and SMF (Session Management Function), and such packets can be sent remotely if the attacker can reach the UPF's control interface. There is no indication that user interaction is needed, and no known exploits are reported in the wild as of the publication date. However, the impact is significant due to the critical role of UPF in 5G networks, where it handles user data forwarding and session management. A successful DoS attack could disrupt data traffic for multiple subscribers, causing service outages and degradation of network reliability.
Potential Impact
For European organizations, especially telecom operators and enterprises deploying private 5G networks, this vulnerability poses a substantial risk. The UPF is a core component responsible for forwarding user data in 5G networks; a DoS condition here can lead to widespread service disruption, affecting voice, data, and IoT communications. This can impact critical infrastructure, emergency services, and commercial operations relying on 5G connectivity. Additionally, the disruption could have cascading effects on dependent services such as edge computing and network slicing. Given the increasing adoption of 5G across Europe, including in sectors like manufacturing, transportation, and healthcare, the potential for operational and financial damage is high. Furthermore, the inability to process legitimate PFCP session establishment requests could degrade network performance and customer experience, leading to reputational damage for service providers.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Upgrade Open5GS to a version where this vulnerability is patched once available. Since no patch links are currently provided, organizations should monitor Open5GS repositories and security advisories closely. 2) Implement strict network segmentation and access controls to restrict PFCP control plane traffic to trusted SMF nodes only, minimizing exposure to unauthorized entities. 3) Deploy deep packet inspection (DPI) or protocol-aware firewalls to detect and block malformed PFCP packets, especially those with suspicious TEID values or restoration indication flags. 4) Monitor UPF logs and network telemetry for abnormal PFCP session establishment requests or repeated failures that may indicate exploitation attempts. 5) Consider rate limiting PFCP requests and implementing anomaly detection systems to identify and mitigate potential DoS attacks early. 6) Engage with vendors and open-source communities to contribute to or expedite the development of patches and share threat intelligence. These steps go beyond generic advice by focusing on protocol-specific controls and proactive monitoring tailored to the nature of the vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-03-11T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 6852ff0433c7acc046ffa85c
Added to database: 6/18/2025, 6:01:40 PM
Last enriched: 6/18/2025, 6:16:38 PM
Last updated: 8/16/2025, 12:31:43 PM
Views: 30
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.