CVE-2025-65563 identifies a denial-of-service (DoS) vulnerability in the User Plane Function (UPF) component of the omec-project, specifically in the upf-epc/pfcpiface module up to at least version 2.1.3-dev. The vulnerability arises when the UPF receives a PFCP (Packet Forwarding Control Protocol) Association Setup Request message that lacks the mandatory NodeID Information Element. Instead of validating the presence of this required field, the association setup handler dereferences a nil pointer, causing a runtime panic that terminates the UPF process. This abrupt termination disrupts the UPF's ability to forward user-plane traffic, effectively causing a denial of service. The attack vector requires an adversary to send crafted PFCP Association Setup Request messages to the UPF's N4 interface, which is used for control plane signaling between the Session Management Function (SMF) and the UPF in 5G core networks. Exploitation does not require authentication, but the attacker must have network access to the PFCP endpoint, which is typically protected within telecom operator networks. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The UPF is a critical network function responsible for routing and forwarding user data packets in 5G networks, making this vulnerability significant for service availability. The flaw highlights insufficient input validation in the PFCP message handling logic, a common source of vulnerabilities in telecom protocol implementations. Given the essential role of UPF in 5G infrastructure, successful exploitation could lead to repeated service interruptions, impacting end-user connectivity and operator service level agreements.

The primary impact of CVE-2025-65563 is the disruption of user-plane services in 5G networks due to repeated crashes of the UPF component. For European organizations, particularly telecom operators and service providers deploying the omec-project UPF, this vulnerability threatens network availability and reliability. Service outages caused by UPF crashes can lead to degraded user experience, loss of revenue, and potential regulatory penalties under EU telecom service mandates. Critical infrastructure relying on 5G connectivity, including emergency services, IoT deployments, and industrial automation, could experience interruptions. The vulnerability could also be exploited as part of a broader attack campaign to degrade national or regional telecom infrastructure. Since the attack requires network access to the PFCP interface, insider threats or compromised network segments pose a significant risk. The absence of authentication requirements lowers the barrier for exploitation within the operator's network perimeter. Overall, the vulnerability undermines the integrity of 5G core network operations and could have cascading effects on dependent services and applications across Europe.

To mitigate CVE-2025-65563, European telecom operators should implement strict input validation on all PFCP messages received at the UPF's N4 interface, ensuring mandatory Information Elements like NodeID are present before processing. Operators should monitor UPF logs and network traffic for malformed PFCP Association Setup Requests indicative of exploitation attempts. Network segmentation and access controls should restrict PFCP endpoint accessibility to trusted SMF instances and management systems only, minimizing exposure to unauthorized actors. Deploying anomaly detection systems to identify unusual PFCP message patterns can provide early warning of exploitation attempts. Operators should engage with the omec-project community and vendors to obtain and apply patches or updated versions that address this vulnerability once available. Additionally, implementing redundancy and failover mechanisms for UPF instances can reduce service disruption impact. Regular security audits and penetration testing focused on 5G core network components are recommended to identify similar weaknesses proactively. Finally, updating incident response plans to include scenarios involving UPF DoS attacks will improve operational readiness.