CVE-2025-15156
📋 TL;DR
A null pointer dereference vulnerability exists in omec-project UPF's PFCP Session Establishment Request Handler, allowing remote attackers to cause denial of service by crashing the service. This affects deployments using UPF versions up to 2.1.3-dev. The vulnerability is remotely exploitable and an exploit has been published.
💻 Affected Systems
- omec-project UPF
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attacker crashes the UPF service, causing complete denial of service for all user plane traffic handled by that instance.
Likely Case
Service disruption affecting user plane traffic until service restart, potentially impacting mobile network connectivity.
If Mitigated
Service automatically restarts with minimal disruption if proper monitoring and auto-recovery are configured.
🎯 Exploit Status
Exploit has been published and requires sending specially crafted PFCP session establishment requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://github.com/omec-project/upf/issues/979
Restart Required: Yes
Instructions:
1. Monitor the omec-project UPF repository for patches. 2. Apply official patch when available. 3. Restart UPF service after patching.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict access to PFCP interface to trusted NFs only using firewall rules.
iptables -A INPUT -p udp --dport 8805 -s <trusted_nf_ip> -j ACCEPT
iptables -A INPUT -p udp --dport 8805 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit PFCP interface exposure
- Deploy monitoring and auto-restart mechanisms for UPF service
🔍 How to Verify
Check if Vulnerable:
Check UPF version: if version is 2.1.3-dev or earlier, system is vulnerable.Check Version:
Check UPF build version or consult deployment documentation for version information.Verify Fix Applied:
Verify UPF version is later than 2.1.3-dev after applying official patch.📡 Detection & Monitoring
Log Indicators:
- UPF service crash logs
- Panic or segmentation fault messages in system logs
- PFCP session establishment failures
Network Indicators:
- Unusual PFCP session establishment requests from untrusted sources
- Sudden cessation of UPF service traffic
SIEM Query:
source="upf.logs" AND ("panic" OR "segmentation fault" OR "null pointer")