CVE-2025-65567
📋 TL;DR
A denial-of-service vulnerability in the omec-project UPF's pfcpiface component allows attackers to crash the UPF process by sending specially crafted PFCP Session Establishment Request messages. This affects organizations using the vulnerable UPF version for 5G core network functions. The vulnerability requires network access to the UPF's N4/PFCP endpoint.
💻 Affected Systems
- omec-project UPF (pfcpiface component)
📦 What is this software?
Upf by Opennetworking
⚠️ Risk & Real-World Impact
Worst Case
Sustained attacks could cause repeated UPF crashes, leading to complete loss of user plane connectivity and service disruption for all connected devices.
Likely Case
Attackers cause intermittent UPF crashes, resulting in service degradation, dropped connections, and potential network instability.
If Mitigated
With proper network segmentation and access controls, impact is limited to authorized internal systems only.
🎯 Exploit Status
Exploitation requires network access to the N4/PFCP endpoint but no authentication. The vulnerability is straightforward to trigger with crafted PFCP messages.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check GitHub issue #959 for latest patched version
Vendor Advisory: https://github.com/omec-project/upf/issues/959
Restart Required: Yes
Instructions:
1. Monitor the GitHub issue for patch release. 2. Update to the patched version when available. 3. Restart the UPF service. 4. Verify the fix by checking version and monitoring for crashes.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict access to the UPF's N4/PFCP endpoint to only trusted SMF nodes using firewall rules.
iptables -A INPUT -p tcp --dport <pfcp_port> -s <trusted_smf_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport <pfcp_port> -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit which systems can communicate with the UPF's N4/PFCP interface.
- Deploy monitoring and alerting for UPF process crashes to enable rapid detection and response to attacks.
🔍 How to Verify
Check if Vulnerable:
Check if running upf-epc-pfcpiface version 2.1.3-dev and review system logs for UPF process crashes after PFCP association.Check Version:
docker images | grep upf-epc-pfcpiface or check container/pod version in deployment configurationVerify Fix Applied:
After patching, verify the UPF version is updated and monitor for absence of crashes when receiving PFCP traffic.📡 Detection & Monitoring
Log Indicators:
- UPF process panic/crash logs
- Error messages mentioning parseFlowDesc or buffer bounds
- Repeated UPF service restarts
Network Indicators:
- Unusual PFCP Session Establishment Request patterns
- Multiple PFCP requests from single source in short time
SIEM Query:
source="upf.logs" AND ("panic" OR "crash" OR "parseFlowDesc")