CVE-2025-65565 identifies a denial-of-service vulnerability in the omec-project User Plane Function (UPF), specifically within the pfcpiface component version 2.1.3-dev. The vulnerability arises after a PFCP (Packet Forwarding Control Protocol) association is established between the UPF and a control plane entity. When the UPF receives a PFCP Session Establishment Request message that lacks the mandatory F-SEID (Fully Qualified SEID) Information Element, the pfcpiface component fails to properly validate this input. The session establishment handler attempts to invoke the FSEID() method on a nil pointer, which triggers a runtime panic in the Go-based implementation, causing the UPF process to crash. Since the UPF is responsible for forwarding user-plane traffic in 5G networks, its crash results in denial of service, disrupting user data flows. An attacker who can send PFCP messages to the UPF’s N4 interface (the interface between the control plane and user plane) can exploit this vulnerability without authentication or user interaction. The vulnerability does not have a CVSS score assigned yet, and no patches or known exploits have been reported at the time of publication. The flaw highlights insufficient input validation and error handling in the pfcpiface component, which can be exploited to cause repeated crashes and service interruptions. This vulnerability is particularly critical in 5G deployments using the omec-project UPF, an open-source implementation gaining traction in telecom networks. The lack of proper validation of mandatory protocol elements is a common source of denial-of-service conditions in network functions. The vulnerability underscores the importance of robust protocol parsing and defensive programming in telecom software components.

The primary impact of CVE-2025-65565 is on the availability of 5G user-plane services. The UPF is a core network function responsible for forwarding user data packets between the radio access network and external data networks. A denial-of-service condition in the UPF leads to disruption or complete loss of user data connectivity for subscribers served by the affected UPF instance. For European organizations, especially telecom operators and mobile network providers deploying omec-project UPF, this vulnerability could cause significant service outages, impacting millions of users. Disrupted user-plane services can degrade customer experience, cause revenue loss, and damage operator reputation. Additionally, repeated crashes may increase operational costs due to emergency troubleshooting and recovery efforts. The vulnerability could also be leveraged as part of a larger attack campaign targeting telecom infrastructure, potentially affecting critical communications in sectors such as emergency services, finance, and government. Given the essential role of 5G networks in digital transformation and IoT deployments across Europe, the availability impact could have cascading effects on dependent industries and services. The lack of authentication for exploitation increases the risk of external attackers or malicious insiders triggering the denial-of-service. While no known exploits are reported yet, the simplicity of the attack vector suggests a high likelihood of future exploitation attempts.

To mitigate CVE-2025-65565, European telecom operators and network administrators should prioritize the following actions: 1) Apply patches or updates from the omec-project community or vendors as soon as they become available to fix the input validation flaw in the pfcpiface component. 2) Implement strict input validation and sanity checks on PFCP Session Establishment Requests at the UPF N4 interface to reject messages missing mandatory Information Elements such as F-SEID before processing. 3) Deploy network-level filtering or access control lists (ACLs) to restrict PFCP message sources to trusted control plane entities, minimizing exposure to unauthorized or malicious PFCP traffic. 4) Monitor UPF process stability and logs for signs of crashes or malformed PFCP messages to enable rapid detection and response. 5) Consider redundancy and failover mechanisms in UPF deployment to maintain user-plane availability during potential crashes. 6) Engage with the omec-project community to track vulnerability disclosures and recommended security best practices. 7) Conduct regular security assessments and penetration testing focused on PFCP protocol handling to identify similar weaknesses. These measures go beyond generic advice by focusing on protocol-specific validation, network segmentation, and operational monitoring tailored to the omec-project UPF environment.