CVE-2025-15417 Overview
A denial of service vulnerability has been identified in Open5GS versions up to 2.7.6. The vulnerability exists in the sgwc_s11_handle_create_session_request function within the src/sgwc/s11-handler.c file, which is part of the GTPv2-C F-TEID Handler component. Successful exploitation of this vulnerability allows an attacker with local access to cause a denial of service condition, disrupting the availability of the affected 5G core network component.
Critical Impact
Local attackers can exploit improper resource shutdown in the GTPv2-C handler to cause service disruption in Open5GS 5G core network deployments.
Affected Products
- Open5GS versions up to and including 2.7.6
- Open5GS SGW-C (Serving Gateway Control Plane) component
- Deployments utilizing the GTPv2-C protocol interface
Discovery Timeline
- 2026-01-01 - CVE-2025-15417 published to NVD
- 2026-01-06 - Last updated in NVD database
Technical Details for CVE-2025-15417
Vulnerability Analysis
This vulnerability is classified under CWE-404 (Improper Resource Shutdown or Release). The flaw resides in the SGW-C component's handling of GTPv2-C Create Session Request messages, specifically in how F-TEID (Fully Qualified Tunnel Endpoint Identifier) data is processed. When the sgwc_s11_handle_create_session_request function receives malformed or specially crafted input, it fails to properly manage resources, leading to a denial of service condition.
The GTPv2-C protocol is critical for control plane signaling in 4G/5G networks, handling session creation, modification, and deletion between network elements. Improper handling of F-TEID parameters in session requests can cause the SGW-C process to become unresponsive or crash, impacting mobile network connectivity.
Root Cause
The root cause of this vulnerability is improper resource shutdown or release (CWE-404) in the sgwc_s11_handle_create_session_request function. When processing GTPv2-C messages containing F-TEID information, the code path fails to properly validate and release resources under certain conditions. This improper resource management can be triggered by manipulated input, causing the service to enter an unstable state or terminate unexpectedly.
Attack Vector
The attack requires local access to the system running Open5GS. An attacker with local privileges can send specially crafted GTPv2-C Create Session Request messages to the SGW-C component. The manipulation targets the F-TEID handling logic, exploiting the improper resource management to cause service disruption. While the attack is limited to local access, the impact on network availability can be significant in production 5G deployments.
The vulnerability mechanism involves improper handling of resources in the GTPv2-C F-TEID processing logic. When the sgwc_s11_handle_create_session_request function processes malformed F-TEID data, resources are not properly released, leading to service instability. For detailed technical analysis, refer to the GitHub Issue Discussion.
Detection Methods for CVE-2025-15417
Indicators of Compromise
- Unexpected crashes or restarts of the Open5GS SGW-C service
- Abnormal memory consumption patterns in the open5gs-sgwcd process
- Error logs indicating failures in sgwc_s11_handle_create_session_request function
- Increased GTPv2-C session creation failures reported by connected network elements
Detection Strategies
- Monitor Open5GS SGW-C process health and implement automatic restart detection
- Configure logging to capture GTPv2-C protocol errors and session handling failures
- Implement network monitoring for unusual S11 interface traffic patterns
- Deploy process monitoring to detect abnormal resource consumption or unexpected terminations
Monitoring Recommendations
- Enable verbose logging for the SGW-C component to capture F-TEID handling events
- Set up alerts for SGW-C service interruptions or repeated restarts
- Monitor system resource utilization for processes handling GTPv2-C traffic
- Review audit logs for local user activity on systems running Open5GS components
How to Mitigate CVE-2025-15417
Immediate Actions Required
- Apply the official patch (commit 465273d13ba5d47b274c38c9d1b07f04859178a1) to remediate the vulnerability
- Restrict local access to systems running Open5GS to authorized personnel only
- Implement process monitoring and automatic recovery for the SGW-C service
- Review and audit local user accounts with access to Open5GS infrastructure
Patch Information
Open5GS has released a patch to address this vulnerability. The fix is available in commit 465273d13ba5d47b274c38c9d1b07f04859178a1. Organizations should upgrade to a patched version of Open5GS or apply this specific commit to remediate the vulnerability. Additional details and discussion can be found in the GitHub Issue Discussion.
Workarounds
- Restrict local system access using operating system-level access controls
- Implement network segmentation to isolate Open5GS components from untrusted users
- Deploy process supervision tools (e.g., systemd watchdog) to automatically restart the SGW-C service if it becomes unresponsive
- Enable enhanced logging to detect exploitation attempts before applying the patch
# Example: Restrict access to Open5GS configuration and apply patch
# Update Open5GS to the latest patched version
cd /path/to/open5gs
git fetch origin
git cherry-pick 465273d13ba5d47b274c38c9d1b07f04859178a1
ninja -C build install
# Restart the SGW-C service after patching
systemctl restart open5gs-sgwcd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
