CVE-2025-52322
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-10-17

Assigner: MITRE

Description
An issue in Open5GS v2.7.2 and before allows a remote attacker to cause a denial of service via a crafted Create Session Request message to the SMF (PGW-C), using the IP address of a legitimate UE in the PDN Address Allocation (PAA) field
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-10-17
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-14
NVD
CVE-2025-52322
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open5gs open5gs to 2.7.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-52322 is a vulnerability in Open5GS version 2.7.2 and earlier where the User Plane Function (UPF) does not check for IP address conflicts when establishing new sessions. An attacker can send a forged Create Session Request to the Session Management Function (SMF) using the IP address of a legitimate User Equipment (UE) in the PDN Address Allocation field. This causes the UPF to create malicious forwarding rules that hijack downlink traffic intended for the victim UE, resulting in partial or full session hijacking and denial of service. The attacker does not need credentials or internal session knowledge to exploit this flaw. The root cause is the lack of verification of whether a UE IP address is already in use when processing new PFCP session establishment requests. [1]

Impact Analysis

This vulnerability can lead to denial of service (DoS) against legitimate users by hijacking their network sessions. An attacker can divert downlink traffic intended for a victim UE to their own server, causing partial or full interception of the victim's data. This disrupts normal service for the victim and can compromise confidentiality and availability of communications. Additionally, the attacker can create multiple conflicting forwarding rules, exhausting IP resources and further degrading network performance. [1]

Detection Guidance

This vulnerability can be detected by monitoring SMF and UPF logs for multiple sessions using the same UE IP address without conflict detection. Specifically, look for multiple PFCP Session Establishment Requests that create Packet Detection Rules (PDRs) for the same UE IP. Detection can involve capturing and analyzing GTP Create Session Request messages with suspicious PDN Address Allocation fields matching legitimate UE IPs. While no specific commands are provided, using packet capture tools like tcpdump or Wireshark to filter GTP-C traffic to the SMF's GTP port and inspecting PFCP session establishment messages for duplicate UE IP allocations is recommended. [1]

Mitigation Strategies

Immediate mitigation steps include implementing IP conflict checks in the UPF to reject PFCP session requests that reuse UE IP addresses. However, this alone is insufficient. The recommended robust mitigation is to secure PFCP and GTP-C signaling traffic using IPsec tunnels or DTLS/TLS to provide authentication and integrity protection, preventing unauthorized and spoofed control messages from reaching the SMF and UPF. This network-layer protection is essential to block attackers from injecting malicious forwarding rules. Additionally, monitoring and restricting access to control plane interfaces can help reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-52322. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart