CVE-2025-65563
📋 TL;DR
A denial-of-service vulnerability in omec-project UPF allows attackers to crash the UPF process by sending malformed PFCP Association Setup Request messages missing the mandatory NodeID Information Element. This affects all deployments using vulnerable versions of the UPF's pfcpiface component, disrupting user-plane services. The vulnerability requires network access to the UPF's N4/PFCP endpoint.
💻 Affected Systems
- omec-project UPF (User Plane Function)
📦 What is this software?
Upf by Opennetworking
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of user-plane services through repeated UPF crashes, causing extended service outages until manual intervention restarts the process.
Likely Case
Intermittent service disruption as attackers exploit the vulnerability to crash the UPF, requiring process restarts and causing temporary service degradation.
If Mitigated
Minimal impact with proper network segmentation and monitoring, allowing quick detection and response to exploitation attempts.
🎯 Exploit Status
Exploitation requires only the ability to send crafted PFCP packets to the N4/PFCP endpoint, making it straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit referenced in GitHub pull request #963
Vendor Advisory: https://github.com/omec-project/upf/issues/955
Restart Required: Yes
Instructions:
1. Update to the patched version of omec-project UPF. 2. Apply the fix from GitHub pull request #963. 3. Restart the UPF process to apply changes.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict access to the UPF's N4/PFCP endpoint to only trusted control-plane functions.
iptables -A INPUT -p tcp --dport <N4_PORT> -s <TRUSTED_IP> -j ACCEPT
iptables -A INPUT -p tcp --dport <N4_PORT> -j DROP
Rate Limiting
linuxImplement rate limiting on PFCP Association Setup Request messages to prevent rapid exploitation.
iptables -A INPUT -p tcp --dport <N4_PORT> -m limit --limit 10/min --limit-burst 20 -j ACCEPT
🧯 If You Can't Patch
- Implement strict network access controls to limit which systems can communicate with the UPF's N4/PFCP endpoint.
- Deploy monitoring and alerting for UPF process crashes to enable rapid response and restart.
🔍 How to Verify
Check if Vulnerable:
Check if running a vulnerable version by examining the UPF version or checking for the presence of the fix from GitHub pull request #963.Check Version:
Check UPF configuration or logs for version information, typically via command line or configuration files specific to the deployment.Verify Fix Applied:
Verify the fix is applied by checking the UPF version or confirming the code changes from pull request #963 are present.📡 Detection & Monitoring
Log Indicators:
- UPF process panic/crash logs
- Error messages related to nil pointer dereference in pfcpiface
- Repeated UPF restarts
Network Indicators:
- Unusual volume of PFCP Association Setup Request messages
- PFCP messages missing NodeID IE from untrusted sources
SIEM Query:
source="upf.log" AND ("panic" OR "nil pointer" OR "pfcpiface" AND "crash")