Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-15530

CVE-2025-15530: Open5GS RCE Vulnerability

CVE-2025-15530 is a remote code execution flaw in Open5GS up to version 2.7.6 affecting the sgwc_s11_handle function. This vulnerability allows remote attackers to trigger reachable assertions. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2025-15530 Overview

A reachable assertion vulnerability has been identified in Open5GS, an open-source implementation of 5G Core and EPC (Evolved Packet Core) network functions. This vulnerability affects the sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request function within the file /src/sgwc/s11-handler.c. An attacker can remotely trigger the assertion condition through manipulated network requests, causing the SGW-C (Serving Gateway Control Plane) component to terminate unexpectedly.

Critical Impact

Remote attackers can cause denial of service conditions in Open5GS deployments by triggering a reachable assertion in the SGW-C component, potentially disrupting mobile network services.

Affected Products

  • Open5GS up to version 2.7.6
  • SGW-C (Serving Gateway Control Plane) component
  • 5G Core and EPC network deployments using affected versions

Discovery Timeline

  • 2026-01-17 - CVE-2025-15530 published to NVD
  • 2026-01-17 - Last updated in NVD database

Technical Details for CVE-2025-15530

Vulnerability Analysis

This vulnerability is classified as CWE-617 (Reachable Assertion), a condition where application code contains assertion statements that can be triggered by external input or attacker-controlled conditions. In the context of Open5GS, the vulnerable function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request processes S11 interface messages for creating indirect data forwarding tunnels during handover procedures in mobile networks.

When a specially crafted request triggers the assertion, the SGW-C process terminates abruptly, causing a denial of service condition. The vulnerability is exploitable over the network without requiring authentication, making it particularly concerning for production deployments. The exploit has been publicly disclosed, and according to the issue report, the vulnerability has already been fixed in newer versions of the software.

Root Cause

The root cause lies in the improper handling of input validation within the sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request function. The code contains an assertion statement (ogs_assert()) that checks for certain conditions during the processing of S11 Create Indirect Data Forwarding Tunnel Request messages. When malformed or unexpected input is received, these assertion conditions fail, causing the process to crash rather than gracefully handling the error condition.

Assertions are typically intended for debugging purposes and should not be relied upon for input validation in production code, as they can be triggered by external attackers to cause denial of service.

Attack Vector

The attack vector is network-based, targeting the S11 interface of the SGW-C component. An attacker with network access to the Open5GS infrastructure can send specially crafted GTPv2-C (GPRS Tunneling Protocol version 2 Control plane) messages to trigger the vulnerable code path.

The vulnerability is described in detail in the GitHub Open5GS Issue #4231. Additional technical context is available through the VulDB entry #341597.

Detection Methods for CVE-2025-15530

Indicators of Compromise

  • Unexpected SGW-C process crashes or restarts in Open5GS deployments
  • Assertion failure messages in system logs containing references to sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request
  • Unusual GTPv2-C traffic patterns on the S11 interface

Detection Strategies

  • Monitor Open5GS service availability and implement alerting for unexpected process terminations
  • Analyze GTPv2-C traffic for malformed Create Indirect Data Forwarding Tunnel Request messages
  • Review system logs for assertion failures in the /src/sgwc/s11-handler.c module
  • Deploy network intrusion detection rules to identify anomalous S11 interface traffic

Monitoring Recommendations

  • Implement service health monitoring for all Open5GS components with automatic alerting
  • Enable detailed logging for S11 interface message processing
  • Configure process monitoring to detect and alert on SGW-C crashes
  • Establish baseline metrics for GTPv2-C message rates to detect anomalous activity

How to Mitigate CVE-2025-15530

Immediate Actions Required

  • Upgrade Open5GS to a version newer than 2.7.6 where the fix has been applied
  • Implement network segmentation to restrict access to the S11 interface from untrusted networks
  • Enable rate limiting on GTPv2-C interfaces to reduce the impact of potential exploitation attempts
  • Monitor SGW-C process stability and implement automatic restart capabilities

Patch Information

According to the vulnerability report, this issue has been flagged as already-fixed by the Open5GS maintainers. Users should upgrade to the latest available version of Open5GS to ensure they have the security fix applied. For detailed information about the fix, refer to the GitHub issue discussion.

Workarounds

  • Restrict network access to the S11 interface using firewall rules to allow only trusted network elements
  • Implement a process supervisor to automatically restart the SGW-C component if it crashes
  • Deploy a load balancer or high-availability configuration to minimize service disruption
  • Consider temporarily disabling indirect data forwarding tunnel functionality if not required for operations
bash
# Example: Restrict S11 interface access using iptables
# Replace <trusted_mme_ip> with your actual MME IP addresses
iptables -A INPUT -p udp --dport 2123 -s <trusted_mme_ip> -j ACCEPT
iptables -A INPUT -p udp --dport 2123 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne