Login Sign Up

CVE-2025-15539

5.3 MEDIUM
Denial of Service

📋 TL;DR

A denial-of-service vulnerability exists in Open5GS SGWC component where remote attackers can crash the service by sending malicious S11 protocol messages. This affects all Open5GS deployments up to version 2.7.6 that have SGWC enabled. The vulnerability is in the sgwc_s11_handle_downlink_data_notification_ack function.

💻 Affected Systems

Products:
  • Open5GS
Versions: All versions up to 2.7.6
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments with SGWC (Serving Gateway Control Plane) component enabled and exposed to untrusted networks.

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of the SGWC component, potentially affecting 5G core network functionality for affected subscribers.

🟠

Likely Case

Service interruption causing failed data sessions and connectivity issues for mobile users.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring in place to detect and block exploitation attempts.

🌐 Internet-Facing: MEDIUM - Attack can be initiated remotely but requires S11 protocol access which should be restricted in properly configured networks.
🏢 Internal Only: MEDIUM - Internal attackers with network access to S11 interface could disrupt service.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly disclosed in GitHub issues and the vulnerability is in a network-facing component.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit b4707272c1caf6a7d4dca905694ea55557a0545f

Vendor Advisory: https://github.com/open5gs/open5gs/commit/b4707272c1caf6a7d4dca905694ea55557a0545f

Restart Required: Yes

Instructions:

1. Update Open5GS to version after 2.7.6 or apply commit b4707272c1caf6a7d4dca905694ea55557a0545f. 2. Rebuild from source if using source installation. 3. Restart SGWC service.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to S11 interface (default port 2123) to trusted networks only.

iptables -A INPUT -p tcp --dport 2123 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 2123 -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit S11 interface exposure
  • Deploy intrusion detection systems to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Open5GS version: open5gs --version. If version is 2.7.6 or earlier, check if SGWC component is running.

Check Version:

open5gs --version

Verify Fix Applied:

Verify the commit hash contains b4707272c1caf6a7d4dca905694ea55557a0545f or version is newer than 2.7.6.

📡 Detection & Monitoring

Log Indicators:

  • SGWC service crashes or restarts
  • Error messages related to sgwc_s11_handle_downlink_data_notification_ack
  • Unexpected S11 protocol errors

Network Indicators:

  • Unusual S11 protocol traffic patterns
  • Multiple malformed S11 messages from single source

SIEM Query:

source="open5gs.log" AND ("crash" OR "segmentation fault" OR "sgwc_s11")

📊 Metadata

CVE ID: CVE-2025-15539
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-404
Published: January 19, 2026
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15539, you might also want to check these:

CVE-2025-38385 7.8

This CVE describes a kernel warning triggered during USB device disconnection in the Linux kernel's ...

Same vulnerability type (CWE-404)
CVE-2022-23033 7.8

This Xen hypervisor vulnerability on ARM systems allows guest virtual machines to retain access to m...

Same vulnerability type (CWE-404)
CVE-2021-0984 7.8

This vulnerability in Android 12 allows local privilege escalation without user interaction. An inco...

Same vulnerability type (CWE-404)