The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-15539

CVE-2025-15539: Open5GS DoS Vulnerability in sgwc

CVE-2025-15539 is a denial of service vulnerability in Open5GS up to version 2.7.6, affecting the sgwc component. Attackers can remotely trigger this flaw to disrupt service. This article covers technical details, impact, and patches.

Published: January 23, 2026

CVE-2025-15539 Overview

A denial of service vulnerability has been identified in Open5GS up to version 2.7.6. The vulnerability affects the sgwc_s11_handle_downlink_data_notification_ack function within the src/sgwc/s11-handler.c file of the SGWC (Serving Gateway Control) component. This flaw allows remote attackers to trigger a denial of service condition by exploiting improper resource handling. The exploit has been publicly disclosed and a patch is available.

Critical Impact

Remote attackers can cause denial of service in Open5GS 5G core network infrastructure by triggering fatal assertions in the SGWC component, potentially disrupting mobile network services.

Affected Products

  • Open5GS versions up to 2.7.6
  • SGWC (Serving Gateway Control) component
  • Systems running vulnerable src/sgwc/s11-handler.c implementations

Discovery Timeline

  • 2026-01-19 - CVE CVE-2025-15539 published to NVD
  • 2026-01-19 - Last updated in NVD database

Technical Details for CVE-2025-15539

Vulnerability Analysis

This vulnerability is classified under CWE-404 (Improper Resource Shutdown or Release). The core issue lies in the sgwc_s11_handle_downlink_data_notification_ack function where fatal assertions (ogs_assert) are used without proper null checks or validation. When processing Downlink Data Notification Acknowledgment messages, the function assumes certain data structures are always present and valid. An attacker can craft malicious network packets that cause these assertions to fail, resulting in immediate process termination and service disruption.

The vulnerability is exploitable remotely over the network without requiring authentication or user interaction. This makes it particularly concerning for production 5G core deployments where service availability is critical.

Root Cause

The root cause is the improper use of fatal assertions (ogs_assert) for handling conditions that could legitimately occur during normal operation or through malicious input. Specifically, the vulnerable code assumed:

  1. Transaction data (s11_xact->data) would always be present
  2. Bearer IDs would always be within valid pool bounds
  3. Bearer and session objects would always be found when referenced

These assumptions lead to fatal program termination when violated, rather than graceful error handling.

Attack Vector

An attacker with network access to the SGWC interface can send specially crafted Downlink Data Notification Acknowledgment messages that:

  1. Contain missing transaction data
  2. Reference invalid or out-of-bounds bearer IDs
  3. Reference non-existent bearer or session objects

The attack requires no authentication and can be executed remotely, making it accessible to any attacker with network visibility to the vulnerable component.

c
      * Check Transaction
      ********************/
     ogs_assert(s11_xact);
-    ogs_assert(s11_xact->data);
+
+    if (!s11_xact->data) {
+        ogs_error("No Transaction Data in Downlink Data Notification Ack");
+        goto out;
+    }
+
     bearer_id = OGS_POINTER_TO_UINT(s11_xact->data);
-    ogs_assert(bearer_id >= OGS_MIN_POOL_ID &&
-            bearer_id <= OGS_MAX_POOL_ID);
+    if (bearer_id < OGS_MIN_POOL_ID || bearer_id > OGS_MAX_POOL_ID) {
+        ogs_error("Invalid Bearer ID [%d] in Downlink Data Notification Ack",
+                bearer_id);
+        goto out;
+    }
 
     bearer = sgwc_bearer_find_by_id(bearer_id);
-    ogs_assert(bearer);
+    if (!bearer) {
+        ogs_warn("Bearer Not Found [id:%d] in Downlink Data Notification Ack",
+                bearer_id);
+        goto out;
+    }
+
     sess = sgwc_sess_find_by_id(bearer->sess_id);
-    ogs_assert(sess);
+    if (!sess) {

Source: GitHub Commit Update

Detection Methods for CVE-2025-15539

Indicators of Compromise

  • Unexpected SGWC process crashes or restarts
  • Core dumps containing assertion failures in sgwc_s11_handle_downlink_data_notification_ack
  • Log entries showing abnormal Downlink Data Notification Ack processing
  • Elevated rate of GTP-C protocol errors on the S11 interface

Detection Strategies

  • Monitor SGWC process stability and implement alerting on unexpected terminations
  • Analyze GTP-C traffic patterns for malformed Downlink Data Notification Acknowledgment messages
  • Review system logs for ogs_assert failure messages in the SGWC component
  • Implement network traffic analysis for anomalous S11 interface activity

Monitoring Recommendations

  • Configure process monitoring with automatic restart capabilities for the SGWC service
  • Enable detailed logging for the S11 handler functions to capture potential attack attempts
  • Set up alerts for bearer ID validation failures and missing transaction data errors
  • Monitor network traffic on GTP-C interfaces for unusual packet patterns

How to Mitigate CVE-2025-15539

Immediate Actions Required

  • Upgrade Open5GS to a version containing patch b4707272c1caf6a7d4dca905694ea55557a0545f
  • Implement network segmentation to limit access to SGWC interfaces
  • Enable process monitoring and automatic restart for critical 5G core components
  • Review firewall rules to restrict S11 interface access to trusted network elements

Patch Information

The vulnerability has been addressed in the Open5GS repository. The fix replaces fatal assertions with proper error handling, allowing the function to gracefully handle edge cases without terminating the process. The patch (commit b4707272c1caf6a7d4dca905694ea55557a0545f) adds null checks for transaction data, validates bearer ID bounds, and verifies bearer and session object existence before use. For technical details, see the GitHub Commit Update and GitHub Issue Discussion.

Workarounds

  • Restrict network access to SGWC S11 interfaces using firewall rules
  • Implement process supervisors to automatically restart the SGWC service upon crashes
  • Deploy network intrusion detection systems to identify malicious GTP-C traffic
  • Consider running SGWC in a containerized environment with automatic restart policies
bash
# Configuration example
# Restrict S11 interface access via iptables
iptables -A INPUT -p udp --dport 2123 -s trusted_mme_ip -j ACCEPT
iptables -A INPUT -p udp --dport 2123 -j DROP

# Enable process monitoring with systemd restart policy
# Add to /etc/systemd/system/open5gs-sgwcd.service
# [Service]
# Restart=always
# RestartSec=5

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechOpen5gs
  • SeverityMEDIUM
  • CVSS Score5.5
  • EPSS Probability0.06%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-404
  • Technical References
  • GitHub Commit Update
  • GitHub Issue Discussion
  • GitHub Issue Comment
  • VulDB CTI #341732
  • VulDB #341732
  • VulDB Submission #735339
  • Related CVEs
  • CVE-2026-4988: Open5GS CCA Message Handler DoS Vulnerability
  • CVE-2026-4240: Open5GS CCA Handler DoS Vulnerability
  • CVE-2026-2517: Open5GS Denial of Service Vulnerability
  • CVE-2026-2524: Open5gs Open5gs DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English