CVE-2025-15539
Remote DoS Vulnerability in Open5GS sgwc_s11-handler Component
Publication date: 2026-01-19
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open5gs | open5gs | to 2.7.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15539 is a denial of service vulnerability in the Open5GS Serving Gateway Control plane (SGW-C) component, specifically in the function sgwc_s11_handle_downlink_data_notification_ack. The issue occurs when the SGW-C receives a delayed Downlink Data Notification Acknowledge (DDN Ack) message referencing a bearer that has already been removed after session teardown. This causes the SGW-C to attempt a lookup for a non-existent bearer context, triggering an assertion failure and crashing the SGW-C process. The vulnerability can be exploited remotely without authentication by sending crafted GTPv2-C signaling messages that simulate this delayed acknowledgment scenario. [1, 3, 4]
How can this vulnerability impact me? :
This vulnerability can cause the Open5GS SGW-C process to crash, resulting in a denial of service (DoS). Since the SGW-C is a critical component in the mobile core network responsible for session management, its crash can disrupt network services, leading to service unavailability for users. The attack can be performed remotely without any privileges or user interaction, making it a significant risk for network stability and availability. [1, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the SGW-C logs for crashes or assertion failures related to Downlink Data Notification Acknowledge (DDN Ack) messages referencing deleted bearers. Specifically, look for error or warning logs indicating missing bearer or session contexts in the sgwc_s11_handle_downlink_data_notification_ack function. Additionally, reproducing the issue using the publicly available proof-of-concept (PoC) Go program can help detect the vulnerability by simulating the attack sequence and observing if the SGW-C crashes. The PoC includes command-line flags to configure IP addresses, TEIDs, IMSI, APN, MCC/MNC, timing delays, and can be used to test the system's response to delayed DDN Ack messages. Monitoring UDP traffic on the SGW-C's S11 GTP-C port (default 2123) for delayed or malformed DDN Ack messages may also help detect exploitation attempts. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the official patch identified by commit b4707272c1caf6a7d4dca905694ea55557a0545f, which fixes the vulnerability by replacing fatal assertions with runtime checks and safe handling of delayed or malformed Downlink Data Notification Acknowledge messages. This patch prevents the SGW-C process from crashing due to missing bearer or session contexts. Until the patch is applied, monitoring and filtering suspicious delayed DDN Ack messages on the S11 interface may reduce the risk of exploitation. It is also recommended to update Open5GS to a version later than 2.7.6 where this issue is fixed. [2, 4]