CVE-2025-65565
📋 TL;DR
A denial-of-service vulnerability in omec-project UPF's pfcpiface component allows attackers to crash the UPF process by sending malformed PFCP Session Establishment Request messages missing the mandatory F-SEID field. This disrupts user-plane services for all connected users. Organizations running vulnerable versions of omec-project UPF are affected.
💻 Affected Systems
- omec-project UPF (pfcpiface component)
📦 What is this software?
Upf by Opennetworking
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption for all users relying on the UPF, with repeated crashes preventing service restoration until the vulnerability is mitigated.
Likely Case
Intermittent service outages as attackers repeatedly crash the UPF, causing degraded performance and user connectivity issues.
If Mitigated
Minimal impact if proper network segmentation and access controls prevent unauthorized access to the N4/PFCP endpoint.
🎯 Exploit Status
Exploitation requires only the ability to send crafted PFCP messages to the vulnerable endpoint, which is straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check GitHub issue #957 for latest patched version
Vendor Advisory: https://github.com/omec-project/upf/issues/957
Restart Required: Yes
Instructions:
1. Monitor the GitHub issue for official patch release. 2. Update to the patched version once available. 3. Restart the UPF service to apply the fix.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict access to the UPF's N4/PFCP endpoint (typically port 8805) to only trusted PFCP peers using firewall rules.
iptables -A INPUT -p udp --dport 8805 -s <trusted_ip> -j ACCEPT
iptables -A INPUT -p udp --dport 8805 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the UPF from untrusted networks.
- Deploy intrusion detection/prevention systems to monitor for malformed PFCP traffic patterns.
🔍 How to Verify
Check if Vulnerable:
Check the UPF version: if running upf-epc-pfcpiface:2.1.3-dev, it is vulnerable.Check Version:
docker images | grep upf-epc-pfcpiface or check deployment manifests for version tagVerify Fix Applied:
After patching, verify the UPF version is updated and test by sending valid PFCP Session Establishment Requests to ensure no crashes occur.📡 Detection & Monitoring
Log Indicators:
- UPF process panic/crash logs
- Repeated UPF service restarts in system logs
Network Indicators:
- Unusual PFCP traffic patterns to the N4 endpoint
- PFCP Session Establishment Requests missing F-SEID field
SIEM Query:
source="upf.logs" AND ("panic" OR "nil pointer" OR "FSEID")