CVE-2025-15528 Overview
A denial of service vulnerability has been discovered in Open5GS, an open-source implementation of 5G Core and EPC (Evolved Packet Core). The vulnerability exists in the GTPv2 Bearer Response Handler component, which improperly handles late or orphan GTPv2 responses, leading to service disruption. This flaw affects Open5GS versions up to and including 2.7.6.
Critical Impact
Remote attackers can exploit this vulnerability to cause denial of service conditions in telecommunications infrastructure by sending malicious GTPv2 bearer responses, potentially disrupting mobile network operations.
Affected Products
- Open5GS up to version 2.7.6
- SGW-C (Serving Gateway Control Plane) component
- SMF (Session Management Function) component
Discovery Timeline
- January 16, 2026 - CVE-2025-15528 published to NVD
- January 16, 2026 - Last updated in NVD database
Technical Details for CVE-2025-15528
Vulnerability Analysis
This vulnerability is classified under CWE-404 (Improper Resource Shutdown or Release). The flaw resides in the GTPv2 Bearer Response Handler within Open5GS's SGW-C and SMF components. When the system receives late-arriving or orphan GTPv2 responses—protocol messages that arrive after their associated sessions have been terminated or that cannot be correlated to any existing session—the application fails to handle these edge cases gracefully.
Instead of properly discarding these unexpected responses, the vulnerable code path causes the application to abort, resulting in a denial of service condition. This is particularly concerning for telecommunications infrastructure where service availability is critical.
Root Cause
The root cause lies in improper resource handling within the GTPv2 protocol processing logic. The application expects all GTPv2 responses to correspond to active sessions or pending transactions. When a response arrives for a session that has already been cleaned up (late response) or cannot be matched to any session (orphan response), the code triggers an assertion failure or unhandled exception that causes the service to terminate.
The fix, identified by commit hash 98f76e98df35cd6a35e868aa62715db7f8141ac1, modifies the handling logic in both src/sgwc/sgwc-sm.c and src/smf/smf-sm.c to gracefully handle these scenarios without aborting.
Attack Vector
The vulnerability can be exploited remotely over the network. An attacker with network access to the GTPv2 interface can craft and send malicious GTPv2 bearer response messages that trigger the vulnerable code path. The attack does not require authentication or user interaction, making it particularly accessible to adversaries with access to the mobile backhaul network.
/*
- * Copyright (C) 2019 by Sukchan Lee <acetcom@gmail.com>
+ * Copyright (C) 2019,2026 by Sukchan Lee <acetcom@gmail.com>
*
* This file is part of Open5GS.
*
Source: GitHub Commit 98f76e9
The patch modifies the SGW-C and SMF state machine handlers to gracefully process late or orphan GTPv2 responses instead of triggering an abort condition.
Detection Methods for CVE-2025-15528
Indicators of Compromise
- Unexpected service restarts or crashes in Open5GS SGW-C or SMF components
- Abnormal GTPv2 bearer response messages in network traffic logs
- Increased frequency of orphan or late GTPv2 protocol messages
- Service availability degradation in mobile network connectivity
Detection Strategies
- Monitor Open5GS service logs for abort conditions or assertion failures in GTPv2 handling routines
- Implement network traffic analysis to detect anomalous GTPv2 bearer response patterns
- Configure process monitoring to alert on unexpected termination of open5gs-sgwcd or open5gs-smfd processes
- Deploy IDS/IPS rules to identify malformed or suspicious GTPv2 protocol traffic
Monitoring Recommendations
- Enable detailed logging for GTPv2 protocol handling in Open5GS configuration
- Set up automated alerting for service crashes with correlation to network traffic patterns
- Implement baseline monitoring for GTPv2 message rates and response timing anomalies
- Review system logs regularly for evidence of exploitation attempts
How to Mitigate CVE-2025-15528
Immediate Actions Required
- Update Open5GS to a version containing the security patch (commit 98f76e98df35cd6a35e868aa62715db7f8141ac1 or later)
- Review network segmentation to limit exposure of GTPv2 interfaces to trusted networks only
- Implement rate limiting on GTPv2 protocol endpoints to reduce the impact of potential attacks
- Enable enhanced logging to detect exploitation attempts before upgrading
Patch Information
The vulnerability has been addressed in the Open5GS repository through commit 98f76e98df35cd6a35e868aa62715db7f8141ac1. This patch modifies the GTPv2 bearer response handling logic in both the SGW-C and SMF components to gracefully handle late or orphan responses without causing service termination.
For detailed patch information, refer to the GitHub Commit 98f76e9 and the related GitHub Issue #4225.
Workarounds
- Restrict network access to GTPv2 interfaces using firewall rules to allow only trusted peer connections
- Implement process supervision with automatic restart capabilities to minimize downtime if exploitation occurs
- Deploy redundant Open5GS instances to maintain service availability during potential attacks
- Consider network-level traffic filtering to drop malformed GTPv2 messages before they reach the application
# Example: Restrict GTPv2 interface access using iptables
# Allow GTPv2-C traffic (port 2123) only from trusted peers
iptables -A INPUT -p udp --dport 2123 -s <trusted_peer_ip> -j ACCEPT
iptables -A INPUT -p udp --dport 2123 -j DROP
# Enable process supervision for Open5GS services
systemctl enable open5gs-sgwcd
systemctl enable open5gs-smfd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
