CVE-2025-29646 – A vulnerability in open5gs upf component allows... (How to Fix)

Q: What is the severity of CVE-2025-29646?

CVE-2025-29646 has a CVSS score of 7.1 (HIGH). A vulnerability in open5gs upf component allows remote attackers to cause denial of service by sending specially crafted PFCP SessionEstablishmentRequest packets. This affects open5gs deployments using versions 2.7.2 and earlier. Attackers can crash the UPF service, disrupting 5G network functionality.

📋 TL;DR

A vulnerability in open5gs upf component allows remote attackers to cause denial of service by sending specially crafted PFCP SessionEstablishmentRequest packets. This affects open5gs deployments using versions 2.7.2 and earlier. Attackers can crash the UPF service, disrupting 5G network functionality.

💻 Affected Systems

Products:

open5gs

Versions: 2.7.2 and earlier

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using the UPF (User Plane Function) component of open5gs

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete UPF service crash leading to loss of 5G data plane connectivity for all users in affected network segment

🟠

Likely Case

Service disruption affecting multiple users until UPF service is restarted

🟢

If Mitigated

Limited impact if network segmentation and rate limiting prevent malicious packets from reaching UPF

🌐 Internet-Facing: HIGH - UPF components exposed to untrusted networks are directly vulnerable to remote exploitation

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems can exploit this vulnerability

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in GitHub issue; exploitation requires sending crafted PFCP packets to UPF

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.3 or later

Vendor Advisory: https://github.com/open5gs/open5gs/issues/3747

Restart Required: Yes

Instructions:

1. Update open5gs to version 2.7.3 or later. 2. Restart UPF service. 3. Verify service is running correctly.

🔧 Temporary Workarounds

Network filtering

linux

Block or filter PFCP SessionEstablishmentRequest packets with restoration indication = true and invalid TEID values

iptables -A INPUT -p udp --dport 8805 -m string --hex-string '|01 00 00 00|' --algo bm -j DROP

🧯 If You Can't Patch

Implement network segmentation to isolate UPF from untrusted networks
Deploy rate limiting on PFCP interface to prevent rapid exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check open5gs version: open5gs-upfd --version. If version is 2.7.2 or earlier, system is vulnerable.

Check Version:

open5gs-upfd --version

Verify Fix Applied:

After patching, verify version is 2.7.3 or later and UPF service remains stable under normal traffic

📡 Detection & Monitoring

Log Indicators:

UPF service crashes
PFCP session establishment failures
Error messages related to TEID validation

Network Indicators:

PFCP packets with restoration indication = true and TEID = 0 or large TEID values
Sudden increase in PFCP session requests

SIEM Query:

source="open5gs-upf.log" AND ("crash" OR "segmentation fault" OR "invalid TEID")

📊 Metadata

CVE ID: CVE-2025-29646

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CWE: CWE-20

EPSS Score: 0.06% exploit probability (18.5th percentile)

Published: June 18, 2025

Last Updated: July 9, 2025

🔗 References

https://gist.github.com/scmdcs/581fa485f957239ea5551daa173d0189 Exploit,Third Party Advisory
https://github.com/open5gs/open5gs/issues/3747 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-29646, you might also want to check these: