CVE-2025-65565 is a denial-of-service vulnerability identified in the omec-project User Plane Function (UPF), specifically in the pfcpiface component version 2.1.3-dev. The vulnerability arises during the handling of PFCP (Packet Forwarding Control Protocol) Session Establishment Requests. After a PFCP association is established, the UPF expects a mandatory F-SEID (Fully Qualified SEID) Information Element in the session establishment request. However, the pfcpiface component does not properly validate the presence of this IE. When a request lacking the F-SEID IE is received, the session establishment handler attempts to call IE.FSEID() on a nil pointer, causing a runtime panic that crashes the UPF process. This results in a denial-of-service condition, disrupting the user-plane services managed by the UPF. The vulnerability can be exploited remotely by an attacker who can send PFCP Session Establishment Requests to the UPF's N4/PFCP endpoint without requiring authentication or user interaction. The CVSS v3.1 base score is 7.5, indicating a high-severity issue with network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to availability (no confidentiality or integrity impact). No patches or known exploits are currently reported, but the vulnerability stems from a null pointer dereference (CWE-476), a common programming error. The UPF is a critical component in 5G core networks responsible for forwarding user data traffic, making this vulnerability significant in telecom environments using the omec-project UPF implementation.

The primary impact of CVE-2025-65565 is on the availability of the UPF component within 5G core networks. Exploitation causes the UPF process to crash repeatedly, leading to denial of user-plane services such as data forwarding and session management. For European organizations, particularly telecom operators and service providers deploying omec-project UPF, this can result in significant service disruptions affecting end users and enterprise customers relying on 5G connectivity. The loss of UPF availability can degrade network performance, cause dropped sessions, and impact critical services dependent on 5G data transport. Since the vulnerability does not affect confidentiality or integrity, data breaches or manipulation are not direct concerns. However, the disruption of user-plane traffic can have cascading effects on business operations, emergency services, and IoT deployments. The ease of exploitation (no authentication or user interaction required) increases the risk of targeted or opportunistic attacks. European telecom infrastructure with widespread 5G adoption and open-source UPF deployments are particularly vulnerable, potentially affecting national communications and digital economy sectors.

To mitigate CVE-2025-65565, affected organizations should prioritize the following actions: 1) Apply vendor-supplied patches or updates to the omec-project UPF pfcpiface component once available. 2) Implement strict input validation on PFCP messages at the network edge or firewall level to detect and block malformed PFCP Session Establishment Requests missing mandatory IEs such as F-SEID. 3) Deploy anomaly detection systems monitoring PFCP traffic for unusual patterns indicative of malformed or malicious session establishment attempts. 4) Use network segmentation and access controls to restrict which entities can send PFCP messages to the UPF N4 interface, limiting exposure to untrusted sources. 5) Maintain robust logging and alerting on UPF process crashes and PFCP errors to enable rapid incident response. 6) Consider redundancy and failover mechanisms for UPF instances to maintain service continuity in case of crashes. 7) Engage with the omec-project community and security advisories for timely updates and best practices. These measures go beyond generic advice by focusing on protocol-level filtering, network access restrictions, and operational monitoring tailored to the UPF and PFCP context.