CVE-2025-65567 identifies a denial-of-service (DoS) vulnerability in the omec-project User Plane Function (UPF), specifically in the pfcpiface component version 2.1.3-dev. The vulnerability occurs after the PFCP association is established between the Control Plane and the UPF. The issue lies in the handling of PFCP Session Establishment Requests that include a CreatePDR (Packet Detection Rule) containing a malformed Flow-Description. The Flow-Description parser (parseFlowDesc) does not robustly validate input, allowing it to read beyond the bounds of the provided buffer. This buffer over-read causes a panic in the UPF process, leading to its termination. Since the UPF is responsible for forwarding user data traffic in mobile networks, its crash results in denial of service for affected sessions. Exploitation requires an attacker to send crafted PFCP messages to the UPF's N4/PFCP endpoint, which is typically exposed within the mobile core network. No authentication or user interaction is required once network access is obtained, making the attack relatively straightforward for insiders or attackers who have penetrated the telecom operator's internal network. No patches or mitigations are currently listed, and no known exploits have been reported in the wild. The vulnerability was published on December 18, 2025, with no CVSS score assigned yet. The vulnerability impacts the availability of critical 5G/4G core network components and could disrupt mobile data services.

The primary impact of CVE-2025-65567 is the disruption of mobile data services due to the denial-of-service condition caused by crashing the UPF process. For European organizations, particularly telecom operators and mobile network providers, this can lead to significant service outages affecting end-users and enterprise customers relying on 4G and 5G connectivity. The UPF is a core network element responsible for user plane traffic forwarding and policy enforcement; its failure can degrade network performance, cause dropped sessions, and interrupt critical communications. This may also impact emergency services, IoT deployments, and other latency-sensitive applications dependent on mobile networks. Additionally, repeated crashes could increase operational costs due to incident response and recovery efforts. The vulnerability could be exploited by malicious insiders or external attackers who gain access to the telecom operator's internal network or management interfaces, potentially as part of a larger attack campaign targeting telecom infrastructure. The lack of authentication requirement for exploitation increases the risk. Although no known exploits are reported yet, the vulnerability's nature suggests a high potential for abuse once weaponized.

To mitigate CVE-2025-65567, affected organizations should prioritize the following actions: 1) Apply vendor patches or updates as soon as they become available for the omec-project UPF pfcpiface component. 2) Implement strict input validation and sanitization at the PFCP interface to detect and reject malformed Flow-Description fields before processing. 3) Restrict network access to the UPF's N4/PFCP endpoint using network segmentation, firewall rules, and access control lists to limit exposure only to trusted control plane entities. 4) Deploy anomaly detection systems to monitor PFCP traffic for unusual or malformed session establishment requests indicative of exploitation attempts. 5) Conduct regular security audits and penetration testing of the mobile core network components to identify and remediate similar vulnerabilities proactively. 6) Establish incident response procedures specifically for telecom core network elements to minimize downtime in case of exploitation. 7) Collaborate with upstream vendors and open-source communities to track vulnerability disclosures and share threat intelligence related to PFCP protocol attacks. These measures go beyond generic advice by focusing on telecom-specific network controls and proactive detection tailored to PFCP traffic.