Login Sign Up

CVE-2025-14954

3.7 LOW
Denial of Service

📋 TL;DR

This vulnerability in Open5GS allows remote attackers to trigger reachable assertions in PFCP (Packet Forwarding Control Protocol) handling functions, potentially causing denial of service. Affected are Open5GS deployments up to version 2.7.6 that use the vulnerable PFCP component. The attack requires high complexity but could disrupt 5G core network functions.

💻 Affected Systems

Products:
  • Open5GS
Versions: Up to and including 2.7.6
Operating Systems: All platforms running Open5GS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments using PFCP functionality. Open5GS must be configured to handle PFCP traffic.

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote denial of service causing Open5GS to crash, disrupting 5G core network services for all connected users.

🟠

Likely Case

Service disruption requiring restart of affected Open5GS components, causing temporary connectivity loss.

🟢

If Mitigated

Minimal impact if proper network segmentation and monitoring are in place to detect and block malicious PFCP traffic.

🌐 Internet-Facing: MEDIUM - Attack requires remote access but has high complexity and difficult exploitability.
🏢 Internal Only: MEDIUM - Internal attackers with network access could exploit, but still requires high technical skill.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: HIGH

Exploit has been publicly disclosed and may be used, but requires specific PFCP protocol knowledge and manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in commit 442369dcd964f03d95429a6a01a57ed21f7779b7

Vendor Advisory: https://github.com/open5gs/open5gs/commit/442369dcd964f03d95429a6a01a57ed21f7779b7

Restart Required: Yes

Instructions:

1. Update Open5GS to version after 2.7.6 or apply commit 442369d. 2. Rebuild from source if using source installation. 3. Restart all Open5GS services.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict PFCP traffic to trusted sources only using firewall rules.

iptables -A INPUT -p udp --dport 8805 -s <trusted_ip> -j ACCEPT
iptables -A INPUT -p udp --dport 8805 -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit PFCP traffic to authorized sources only.
  • Deploy intrusion detection systems to monitor for abnormal PFCP traffic patterns.

🔍 How to Verify

Check if Vulnerable:

Check Open5GS version and verify if commit 442369d is present in the source code.

Check Version:

open5gs --version || grep 'OPEN5GS_VERSION' in source files

Verify Fix Applied:

Verify Open5GS version is greater than 2.7.6 or that commit 442369d is applied in git history.

📡 Detection & Monitoring

Log Indicators:

  • Open5GS crash logs
  • Assertion failure messages in PFCP handling
  • Service restart patterns

Network Indicators:

  • Malformed PFCP packets
  • Unusual PFCP traffic from untrusted sources

SIEM Query:

source="open5gs.log" AND ("assertion" OR "crash" OR "pfcp")

📊 Metadata

CVE ID: CVE-2025-14954
CVSS v3 Score: 3.7 (LOW)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-617
EPSS Score: 0.14% exploit probability (33.9th percentile)
Published: December 19, 2025
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14954, you might also want to check these:

CVE-2023-37015 8.6

This vulnerability allows remote attackers to cause denial of service by sending malformed ASN.1 pac...

Same vulnerability type (CWE-617)
CVE-2023-37016 8.6

CVE-2023-37016 is a remotely triggerable assertion vulnerability in Open5GS MME that allows denial o...

Same vulnerability type (CWE-617)
CVE-2023-37017 8.6

Open5GS MME versions up to 2.6.4 contain a remotely triggerable assertion via malformed ASN.1 packet...

Same vulnerability type (CWE-617)