CVE-2025-65561 is a security vulnerability identified in free5GC version 4.1.0, an open-source 5G core network implementation. The flaw resides in the LocalNode.Sess function, which processes PFCP (Packet Forwarding Control Protocol) Session Modification Requests. Specifically, an attacker can craft a malicious Local SEID (Session Endpoint Identifier) header within these PFCP messages to trigger a denial of service (DoS) condition or potentially cause other unspecified impacts on the 5G core network node. PFCP is a critical protocol used between the control plane and user plane functions in 5G networks to manage session states and forwarding rules. Exploiting this vulnerability could disrupt session management, leading to service interruptions or degraded network performance. The vulnerability does not have a CVSS score yet, and no public exploits have been reported, indicating it may be newly discovered or not yet weaponized. However, given the critical role of PFCP in 5G core operations, the impact could be significant. The attack likely requires network-level access to the 5G core infrastructure, as PFCP messages are exchanged internally between network functions. The absence of patches or mitigation details suggests that operators must monitor for updates and apply security best practices to protect their 5G core deployments.

For European organizations, particularly telecom operators and service providers deploying 5G networks, this vulnerability poses a risk of service disruption through denial of service attacks targeting core network functions. Disruption of PFCP session management can lead to dropped or failed user sessions, impacting end-user connectivity and service quality. This could affect critical communications, including emergency services and enterprise applications relying on 5G connectivity. The unspecified impacts beyond DoS could include unauthorized session manipulation or network instability, further threatening network integrity and availability. Given the strategic importance of 5G infrastructure in Europe for digital economy and public services, exploitation could have cascading effects on multiple sectors. Additionally, the use of open-source 5G core implementations like free5GC in some European networks increases exposure. The lack of known exploits currently reduces immediate risk, but the potential for future weaponization necessitates proactive defense measures.

European 5G network operators should implement strict validation and filtering of PFCP messages, especially scrutinizing the Local SEID headers in Session Modification Requests to detect and block malformed or suspicious packets. Network segmentation and isolation of 5G core components can limit exposure to potentially malicious traffic. Operators should monitor vendor and open-source project advisories closely for patches addressing this vulnerability and apply them promptly once available. Employing anomaly detection systems focused on PFCP traffic patterns can help identify exploitation attempts early. Additionally, restricting administrative and network access to core network functions through robust authentication and access controls reduces the attack surface. Collaboration with national cybersecurity agencies and participation in information sharing forums can enhance situational awareness and coordinated response. Finally, conducting regular security assessments and penetration testing of 5G core infrastructure can uncover similar vulnerabilities proactively.