Can you explain this vulnerability to me?

CVE-2025-14955 is a vulnerability in Open5GS up to version 2.7.5, specifically in the SGWU component's PFCP handler function `ogs_pfcp_handle_create_pdr()`. The issue occurs when the system processes a PFCP Session Establishment Request containing a CreatePDR with a Packet Detection Information (PDI) element that includes an F-TEID (Fully Qualified Tunnel Endpoint Identifier) Information Element of zero length. This improper or missing initialization leads to an assertion failure because the code expects the F-TEID to contain either an IPv4 or IPv6 address. When this assertion fails, the SGWU process crashes, causing a denial of service. The vulnerability can be exploited remotely without authentication, although exploitation is considered difficult. A proof-of-concept exploit is publicly available, and a patch has been released to fix the issue by adding proper validation and error handling to reject malformed requests gracefully instead of crashing. [1, 2, 4]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can cause a remote denial of service (DoS) on the Open5GS SGWU component by crashing the SGWU process when it receives a malformed PFCP Session Establishment Request with a zero-length F-TEID IE. This crash disrupts the availability of the 5G core network user plane functionality, potentially leading to service outages or degraded network performance. Since the attack can be launched remotely without authentication, it poses a risk of network disruption by malicious actors. The impact is primarily on system availability. [1, 2, 4]

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for crashes or assertion failures in the Open5GS SGWU logs, specifically looking for messages related to the function ogs_pfcp_handle_create_pdr and assertion failures involving F-TEID IE length or missing IPv4/IPv6 flags. Additionally, detection can involve capturing and analyzing PFCP Session Establishment Requests to identify malformed CreatePDR/PDI messages containing zero-length F-TEID Information Elements. A proof-of-concept Go program exists that crafts such malformed PFCP messages, which could be adapted for testing. Network packet capture tools like tcpdump or Wireshark can be used to capture PFCP traffic on the SGWU PFCP endpoint (usually UDP port 8805) and filter for PFCP Session Establishment Requests with suspicious zero-length F-TEID IEs. Example tcpdump command to capture PFCP packets: tcpdump -i <interface> udp port 8805 -w pfcp_capture.pcap. Then, analyze the capture for PFCP CreatePDR messages with zero-length F-TEID IE using Wireshark or custom scripts. Monitoring SGWU logs for error messages such as 'Invalid F-TEID' or assertion failures at ogs_pfcp_handle_create_pdr can also indicate exploitation attempts or crashes. [2, 4]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to apply the official patch identified by commit 773117aa5472af26fc9f80e608d3386504c3bdb7, which adds validation checks in the ogs_pfcp_handle_create_pdr() function to reject malformed PFCP requests with zero-length F-TEID IEs gracefully, preventing the SGWU process from crashing. Until the patch can be applied, monitoring and blocking malformed PFCP Session Establishment Requests containing zero-length F-TEID IEs at the network perimeter or firewall may reduce risk. It is also recommended to monitor SGWU logs for signs of exploitation attempts and restart the SGWU service if crashes occur. Applying the patch is strongly recommended as best practice to fully resolve the vulnerability. [1, 3]

Useful 0 Not Useful 0