CVE-2025-65565
BaseFortify
Publication date: 2025-12-18
Last updated on: 2025-12-19
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| omec-project | upf | 2.1.3-dev |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-65565 is a denial-of-service vulnerability in the omec-project UPF component (pfcpiface) version 2.1.3-dev. When the UPF receives a PFCP Session Establishment Request message that is missing the mandatory F-SEID (CP Function SEID) Information Element, it improperly handles this by calling a method on a nil pointer. This causes a runtime panic and crashes the UPF process, disrupting user-plane services. [1]
How can this vulnerability impact me? :
An attacker who can send PFCP Session Establishment Request messages to the UPF's N4/PFCP endpoint can exploit this vulnerability to repeatedly crash the UPF process. This results in denial of service by disrupting user-plane operations, potentially impacting 5G network availability and causing service outages. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the UPF logs for panic stack traces indicating a nil pointer dereference caused by malformed PFCP Session Establishment Request messages missing the CPF-SEID IE. Additionally, sending crafted PFCP Session Establishment Request messages without the CPF-SEID IE to the UPF's PFCP port (default UDP port 8805) can test for the vulnerability. A proof-of-concept Go program exists that uses the github.com/wmnsk/go-pfcp library to craft and send such malformed PFCP messages over UDP. Commands would involve running this PoC or similar scripts to send malformed PFCP messages to the UPF and observing if the UPF process crashes. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the UPF's PFCP endpoint (UDP port 8805) to trusted sources only, implementing network-level filtering to block malformed PFCP messages, and monitoring UPF logs for crash events. Applying any available patches or updates from the omec-project that address this issue is also recommended once available. Until a fix is applied, preventing untrusted entities from sending PFCP Session Establishment Requests to the UPF can reduce the risk of exploitation. [1]