Executive Summary

CVE-2025-15530 is a denial-of-service vulnerability in Open5GS SGW-C (Serving Gateway Control plane) up to version 2.7.6. It occurs in the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request when the SGW-C processes a crafted GTPv2-C CreateIndirectDataForwardingTunnelRequest message containing an invalid EPS Bearer ID (EBI) that does not match any existing bearer in the current session. This causes the SGW-C to perform a bearer lookup that returns NULL, triggering an assertion failure and crashing the SGW-C process. The attack can be executed remotely without authentication by sending a single malformed message over the S11 interface. A detailed proof-of-concept exploit exists demonstrating this attack. [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service (DoS) by crashing the Open5GS SGW-C process, leading to loss of availability of the Serving Gateway Control plane. Since the SGW-C is a critical component in mobile network infrastructure, its crash can disrupt network services, impacting users' connectivity and data forwarding. The attack requires only network access to the S11 interface and no authentication, making it relatively easy for an attacker to exploit remotely. [1, 2, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or assertion failures in the Open5GS SGW-C process, especially after receiving GTPv2-C CreateIndirectDataForwardingTunnelRequest messages on the S11 interface. Detection involves capturing and analyzing GTPv2 traffic to identify malformed CreateIndirectDataForwardingTunnelRequest messages containing invalid EPS Bearer IDs (EBI) that do not correspond to any existing bearer in the session. Since the exploit sends crafted GTPv2 messages over UDP to port 2123 (S11 interface), network packet capture tools like tcpdump or Wireshark can be used to filter and inspect such traffic. Example commands include: 1. Capture GTPv2 traffic on UDP port 2123: `tcpdump -i <interface> udp port 2123 -w capture.pcap` 2. Analyze the capture in Wireshark to look for CreateIndirectDataForwardingTunnelRequest messages with invalid or unexpected EBI values. Additionally, monitoring SGW-C logs for assertion failures or process crashes can indicate exploitation attempts. There is a publicly available proof-of-concept (PoC) implemented in Go that simulates the attack by sending crafted GTPv2 messages, which can be used in a controlled environment to test detection capabilities. [1, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Open5GS to a version where this vulnerability is fixed, specifically versions after 2.7.6. The issue has been reported, confirmed, and fixed as of January 16, 2026. Since the vulnerability is triggered by malformed GTPv2-C messages on the S11 interface, restricting network access to the SGW-C S11 interface to trusted entities only can reduce exposure. Implementing network-level filtering or firewall rules to block unauthorized or suspicious GTPv2 traffic on UDP port 2123 can help mitigate exploitation attempts. Monitoring SGW-C logs for crashes or assertion failures and applying vendor patches promptly are critical. No other known mitigations or countermeasures are currently recommended. [2, 3]

Useful 0 Not Useful 0