CVE-2025-65559 is a vulnerability identified in Open5GS version 2.7.5-49-g465e90f, specifically within the User Plane Function (UPF) component responsible for handling PFCP (Packet Forwarding Control Protocol) messages. The flaw occurs during processing of a PFCP Session Establishment Request (message type 50) when the CreatePDR (Packet Detection Rule) contains a PDI (Packet Detection Information) with an F-TEID (Fully Qualified Tunnel Endpoint Identifier) that has the CH (Change) flag set to 1. If the address-family flags within the F-TEID (indicating IPv4 or IPv6) do not correspond to the GTP-U (GPRS Tunneling Protocol - User plane) resource family configured for the selected DNN (Data Network Name or Network Instance), an assertion in the function ogs_pfcp_object_teid_hash_set within lib/pfcp/context.c is triggered. This assertion failure is reachable and causes the UPF process to crash, resulting in a denial of service (DoS). The vulnerability arises from insufficient validation of address-family consistency between PFCP message fields and the UPF configuration. Exploitation requires sending a crafted PFCP Session Establishment Request to the UPF, which typically does not require authentication but does require network-level access to the control plane interface. No public exploits or active exploitation have been reported as of the publication date. The vulnerability impacts the availability of the UPF, a critical component in 5G core networks responsible for forwarding user data packets. Disruption of the UPF can lead to service outages affecting mobile broadband and other 5G services. The vulnerability highlights the importance of rigorous input validation in protocol message processing within telecom network functions. Since Open5GS is an open-source 5G core network implementation used by various operators and vendors, the impact could be broad depending on deployment scale. The lack of a CVSS score necessitates a severity assessment based on impact and exploitability factors.

For European organizations, particularly telecom operators and service providers deploying Open5GS or similar open-source 5G core network implementations, this vulnerability poses a significant risk to network availability. The UPF is a critical component in 5G networks responsible for user plane data forwarding; its crash leads to denial of service, potentially interrupting mobile broadband and enterprise 5G services. This can degrade customer experience, cause revenue loss, and impact critical communications infrastructure. Given the increasing adoption of 5G in Europe for both consumer and industrial applications, disruption of UPF services could affect sectors reliant on low-latency and high-throughput connectivity, including manufacturing, healthcare, and public safety. The vulnerability does not compromise confidentiality or integrity directly but impacts availability severely. Since exploitation requires sending malformed PFCP messages, attackers with access to the control plane or compromised network elements could trigger the DoS. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as 5G networks expand. European regulators and operators must consider this vulnerability in their risk assessments and incident response planning to maintain network resilience.

1. Implement strict validation of PFCP Session Establishment Requests, ensuring that the address-family flags in the F-TEID field match the configured GTP-U resource family for the selected DNN before processing. 2. Monitor UPF logs and control plane traffic for anomalous or malformed PFCP messages that could indicate exploitation attempts. 3. Restrict access to the PFCP control plane interface using network segmentation, firewall rules, and access control lists to limit exposure to trusted entities only. 4. Deploy runtime protections such as process supervision and automatic restart mechanisms for the UPF to minimize downtime in case of crashes. 5. Engage with the Open5GS community or vendor to obtain patches or updated versions that address this assertion failure and apply them promptly. 6. Conduct regular security audits and penetration testing on 5G core network components to identify and remediate similar protocol handling issues. 7. Establish incident response procedures specific to 5G core network disruptions to enable rapid mitigation and recovery. 8. Consider deploying redundancy and load balancing for UPF instances to maintain service continuity in case of individual node failures.