CVE-2025-15529 Overview
A denial of service vulnerability has been identified in Open5GS, an open-source implementation of 5G Core and EPC (Evolved Packet Core). The vulnerability exists in the function sgwc_s5c_handle_create_session_response within the file src/sgwc/s5c-handler.c. This flaw allows remote attackers to trigger a denial of service condition through manipulated network requests, potentially disrupting mobile network operations.
Critical Impact
Remote attackers can exploit this vulnerability to cause denial of service in Open5GS deployments, affecting the SGW-C (Serving Gateway Control Plane) component which is essential for handling user data sessions in mobile networks.
Affected Products
- Open5GS versions up to and including 2.7.6
- SGW-C (Serving Gateway Control Plane) component
- Deployments using the affected s5c-handler.c implementation
Discovery Timeline
- 2026-01-16 - CVE-2025-15529 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2025-15529
Vulnerability Analysis
This vulnerability is classified under CWE-404 (Improper Resource Shutdown or Release), indicating that the affected function fails to properly manage resources during session handling operations. The flaw resides in the sgwc_s5c_handle_create_session_response function, which processes responses related to session creation on the S5-C interface between the SGW-C and PGW-C (PDN Gateway Control Plane) components.
When specially crafted input is processed by this function, the system fails to properly release or manage allocated resources, leading to a denial of service condition. The vulnerability can be exploited remotely over the network without requiring authentication, making it particularly concerning for production Open5GS deployments.
Root Cause
The root cause stems from improper resource management within the session response handler. The function sgwc_s5c_handle_create_session_response does not adequately handle certain error conditions or edge cases during session creation response processing. This improper resource shutdown or release (CWE-404) can lead to resource exhaustion or system instability when exploited.
Attack Vector
The vulnerability is exploitable remotely over the network. An attacker can send manipulated GTP-C (GPRS Tunneling Protocol Control Plane) messages to the SGW-C component, triggering the vulnerable code path. The attack requires no authentication or user interaction, making it accessible to any attacker who can reach the SGW-C interface.
The S5-C interface, which connects the SGW-C to the PGW-C, processes session-related signaling. By targeting the create session response handling, an attacker can disrupt the establishment of user data sessions, effectively causing a denial of service for mobile network subscribers.
Detection Methods for CVE-2025-15529
Indicators of Compromise
- Unexpected crashes or restarts of the Open5GS SGW-C service
- Elevated error rates in GTP-C session establishment logs
- Unusual network traffic patterns targeting the S5-C interface
- Resource exhaustion symptoms on systems running Open5GS SGW-C
Detection Strategies
- Monitor Open5GS service logs for errors related to sgwc_s5c_handle_create_session_response function
- Implement network intrusion detection rules for anomalous GTP-C traffic patterns
- Deploy application-level monitoring to track SGW-C session handling failures
- Configure alerting for unexpected service restarts or process terminations
Monitoring Recommendations
- Enable verbose logging for the SGW-C component to capture detailed session handling events
- Implement rate limiting on the S5-C interface to mitigate potential exploitation attempts
- Monitor system resource utilization (memory, CPU) on Open5GS host systems
- Establish baseline metrics for normal session establishment rates to detect anomalies
How to Mitigate CVE-2025-15529
Immediate Actions Required
- Update Open5GS to a version containing the security patch (commit b19cf6a2dbf5d30811be4488bf059c865bd7d1d2)
- Review network access controls to limit exposure of the S5-C interface
- Implement monitoring for signs of exploitation attempts
- Consider deploying additional network-level protections for critical 5G/EPC components
Patch Information
A patch has been released by the Open5GS project to address this vulnerability. The fix is identified by commit hash b19cf6a2dbf5d30811be4488bf059c865bd7d1d2. Organizations should apply this patch by updating to the latest Open5GS version or by applying the specific commit to their deployment.
For detailed technical information about the vulnerability and the fix, refer to the GitHub Issue Tracker and the GitHub Commit Update.
Workarounds
- Restrict network access to the S5-C interface using firewall rules to trusted PGW-C endpoints only
- Implement network segmentation to isolate Open5GS components from untrusted networks
- Deploy intrusion prevention systems with custom rules to detect and block malicious GTP-C traffic
- Consider temporary service redundancy to maintain availability during patching operations
# Configuration example - Restrict S5-C interface access via firewall
# Replace <TRUSTED_PGW_IP> with your PGW-C IP address
iptables -A INPUT -p udp --dport 2123 -s <TRUSTED_PGW_IP> -j ACCEPT
iptables -A INPUT -p udp --dport 2123 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
