CVE-2025-15531 Overview
CVE-2025-15531 is a reachable assertion vulnerability in Open5GS, an open source implementation of 5G Core and EPC network functions. The flaw resides in the sgwc_bearer_add function within src/sgwc/context.c and affects versions up to 2.7.5. Remote attackers can trigger the assertion without authentication or user interaction, causing the Serving Gateway Control plane (SGW-C) component to abort. A public exploit reference exists, and the upstream project has flagged the issue as already fixed. The vulnerability is classified under [CWE-617: Reachable Assertion].
Critical Impact
Remote unauthenticated attackers can crash the Open5GS SGW-C process by triggering an assertion in bearer context handling, disrupting mobile core network availability.
Affected Products
- Open5GS versions up to and including 2.7.5
- Open5GS SGW-C component (src/sgwc/context.c)
- Deployments exposing Open5GS control-plane interfaces to untrusted networks
Discovery Timeline
- 2026-01-17 - CVE-2025-15531 published to the National Vulnerability Database
- 2026-02-23 - Last updated in NVD database
Technical Details for CVE-2025-15531
Vulnerability Analysis
The vulnerability resides in the sgwc_bearer_add function in src/sgwc/context.c, part of the SGW-C component of Open5GS. The function fails to validate input conditions before invoking an assertion macro. When the assertion evaluates to false, the process terminates abnormally. Because the SGW-C handles control-plane signaling between user equipment, mobility management entities, and the packet gateway, the abort interrupts session establishment across the mobile core. The exploit is publicly described and reachable over the network without authentication.
Root Cause
The root cause is improper input validation paired with assertion-based error handling. Assertions are intended as developer-side invariants, not as runtime defenses against malformed external input. When sgwc_bearer_add processes bearer context data that violates expected invariants, the assertion fires and the process aborts instead of returning a controlled error. This pattern matches [CWE-617: Reachable Assertion].
Attack Vector
An attacker reaches the vulnerability remotely by sending crafted signaling messages to the Open5GS SGW-C. No credentials are required, and the request must pass through a network path that allows the attacker to deliver bearer-related signaling to the affected function. The result is a denial of service against the control plane. Confidentiality and integrity are not directly impacted; availability of the mobile core is the primary concern. Refer to the Open5GS issue tracker entry for the upstream technical discussion.
Detection Methods for CVE-2025-15531
Indicators of Compromise
- Unexpected termination or restart of the Open5GS sgwc process with assertion failure messages in logs
- Stack traces or core dumps referencing sgwc_bearer_add in src/sgwc/context.c
- Spikes in failed bearer establishment requests preceding SGW-C crashes
- Repeated malformed GTP-C or PFCP control-plane messages from a single source
Detection Strategies
- Monitor SGW-C process health and restart counters across the mobile core
- Correlate control-plane signaling errors with process termination events
- Inspect Open5GS logs for assert or abort entries originating in the SGW-C module
- Review packet captures of control-plane traffic for anomalous bearer context modification requests
Monitoring Recommendations
- Enable verbose logging on the SGW-C and forward logs to a centralized logging or SIEM platform
- Alert on process supervisor restart events for open5gs-sgwcd
- Track session establishment success rates as a leading indicator of control-plane disruption
How to Mitigate CVE-2025-15531
Immediate Actions Required
- Upgrade Open5GS to a version newer than 2.7.5 that includes the upstream fix referenced in GitHub issue #4233
- Restrict network access to SGW-C control-plane interfaces using firewall rules or network segmentation
- Audit existing deployments for exposure of Open5GS signaling endpoints to untrusted networks
- Enable automatic process supervision so SGW-C restarts after crashes while remediation is applied
Patch Information
The Open5GS maintainers have flagged the issue as already fixed in the upstream repository. Deploy the latest release from the Open5GS GitHub repository and rebuild or update affected binaries. Validate the fix by confirming that sgwc_bearer_add in src/sgwc/context.c includes input validation before the assertion path. Additional context is available in the VulDB entry #341598.
Workarounds
- Place the SGW-C behind network ACLs that only permit signaling from authorized MME, PGW-C, and SMF peers
- Deploy rate limiting on control-plane interfaces to slow abuse of malformed bearer requests
- Use a process supervisor such as systemd with Restart=always to recover from induced crashes until patching is complete
# Configuration example: restart SGW-C on failure via systemd override
sudo systemctl edit open5gs-sgwcd
# Add the following lines:
# [Service]
# Restart=always
# RestartSec=2s
sudo systemctl daemon-reload
sudo systemctl restart open5gs-sgwcd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
