CVE-2025-48219 is a vulnerability identified in the O2 UK mobile network infrastructure affecting IMS (IP Multimedia Subsystem) calls. Specifically, before the patch date of May 19, 2025, O2 UK allows subscribers to obtain the Cell ID of other subscribers by initiating an IMS call and reading the utran-cell-id-3gpp field within the Cellular-Network-Info SIP header. This field contains the E-UTRAN Cell Identity (ECI), which can be correlated with physical cell tower locations. Since cell IDs can be mapped to geographic locations using crowdsourced databases, an attacker or subscriber could infer the approximate physical location of another subscriber, potentially down to a small area such as a city center. This vulnerability is classified under CWE-201, which involves the insertion of sensitive information into sent data, leading to unintended information disclosure. The issue arises because the Cellular-Network-Info header is not removed or sanitized as recommended by ETSI TS 124 229 section 4.4.19, which specifies that such sensitive information should be excluded from SIP signaling messages to protect subscriber privacy. The CVSS v3.1 score is 3.5 (low severity), reflecting that the vulnerability requires network access (AV:N), has high attack complexity (AC:H), requires low privileges (PR:L), and no user interaction (UI:N). The impact is limited to confidentiality (C:L) with no effect on integrity or availability. No known exploits are reported in the wild, and no patches are currently linked, indicating that mitigation may rely on vendor updates or network operator configuration changes.

For European organizations, particularly telecommunications providers and enterprises relying on O2 UK network services or similar IMS-based telephony systems, this vulnerability poses a privacy risk rather than a direct operational threat. The ability to infer subscriber location through leaked Cell ID data can lead to privacy violations, targeted surveillance, or profiling of individuals. Organizations handling sensitive communications or subject to strict data protection regulations such as GDPR must be aware that subscriber location data leakage could constitute a personal data breach. Although the vulnerability does not allow direct compromise of network integrity or availability, the exposure of location information could be exploited by malicious actors for stalking, targeted phishing, or other social engineering attacks. Enterprises with employees using O2 UK services may face indirect risks if adversaries leverage location data to facilitate further attacks. The low severity score reflects the limited scope and complexity, but the privacy implications remain significant in the European context where data protection is paramount.

To mitigate CVE-2025-48219, O2 UK and similar network operators should promptly implement the removal or sanitization of the Cellular-Network-Info SIP header as per ETSI TS 124 229 section 4.4.19. This involves configuring IMS signaling components to exclude or mask the utran-cell-id-3gpp field before forwarding SIP messages to subscribers. Network operators should audit their IMS call flows and SIP header contents to ensure no sensitive location identifiers are leaked. Subscribers and enterprises should monitor for vendor patches or network operator advisories and apply updates as soon as they become available. Additionally, organizations can implement network-level monitoring to detect anomalous IMS call patterns that may indicate attempts to exploit this vulnerability. Raising user awareness about the potential privacy risks of IMS calls and encouraging cautious use of IMS-based services can also reduce exposure. Finally, regulatory bodies should engage with telecom providers to enforce compliance with privacy standards and ensure timely remediation.