CVE-2025-52322
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-10-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52322 is a vulnerability in Open5GS version 2.7.2 and earlier where the User Plane Function (UPF) does not check for IP address conflicts when establishing new sessions. An attacker can send a forged Create Session Request to the Session Management Function (SMF) using the IP address of a legitimate User Equipment (UE) in the PDN Address Allocation field. This causes the UPF to create malicious forwarding rules that hijack downlink traffic intended for the victim UE, resulting in partial or full session hijacking and denial of service. The attacker does not need credentials or internal session knowledge to exploit this flaw. The root cause is the lack of verification of whether a UE IP address is already in use when processing new PFCP session establishment requests. [1]
How can this vulnerability impact me? :
This vulnerability can lead to denial of service (DoS) against legitimate users by hijacking their network sessions. An attacker can divert downlink traffic intended for a victim UE to their own server, causing partial or full interception of the victim's data. This disrupts normal service for the victim and can compromise confidentiality and availability of communications. Additionally, the attacker can create multiple conflicting forwarding rules, exhausting IP resources and further degrading network performance. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring SMF and UPF logs for multiple sessions using the same UE IP address without conflict detection. Specifically, look for multiple PFCP Session Establishment Requests that create Packet Detection Rules (PDRs) for the same UE IP. Detection can involve capturing and analyzing GTP Create Session Request messages with suspicious PDN Address Allocation fields matching legitimate UE IPs. While no specific commands are provided, using packet capture tools like tcpdump or Wireshark to filter GTP-C traffic to the SMF's GTP port and inspecting PFCP session establishment messages for duplicate UE IP allocations is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing IP conflict checks in the UPF to reject PFCP session requests that reuse UE IP addresses. However, this alone is insufficient. The recommended robust mitigation is to secure PFCP and GTP-C signaling traffic using IPsec tunnels or DTLS/TLS to provide authentication and integrity protection, preventing unauthorized and spoofed control messages from reaching the SMF and UPF. This network-layer protection is essential to block attackers from injecting malicious forwarding rules. Additionally, monitoring and restricting access to control plane interfaces can help reduce risk. [1]