CVE-2025-15539 in Open5GS
Summary
by MITRE • 01/19/2026
A vulnerability was determined in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_downlink_data_notification_ack of the file src/sgwc/s11-handler.c of the component sgwc. This manipulation causes denial of service. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Patch name: b4707272c1caf6a7d4dca905694ea55557a0545f. To fix this issue, it is recommended to deploy a patch. The issue report is flagged as already-fixed.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/11/2026
The vulnerability identified as CVE-2025-15539 affects the Open5GS software suite, specifically targeting version 2.7.6 and earlier releases. This issue resides within the SGWC (Serving Gateway Control Plane) component of the system, where the function sgwc_s11_handle_downlink_data_notification_ack in the file src/sgwc/s11-handler.c demonstrates a critical flaw that can be exploited to cause denial of service conditions. The vulnerability represents a significant security weakness in the 5G core network infrastructure, as it allows remote attackers to disrupt normal operations of the network function.
The technical flaw manifests in the improper handling of downlink data notification acknowledgments within the S11 interface protocol, which governs communication between the MME (Mobility Management Entity) and SGWC in 4G/LTE networks. This function fails to properly validate or process incoming acknowledgment messages, creating a potential exploitation vector that can be leveraged by malicious actors to send crafted payloads that trigger system crashes or resource exhaustion. The vulnerability is classified as a remote attack vector, meaning that adversaries can exploit this weakness without requiring physical access to the system, making it particularly dangerous in production network environments where security boundaries are often porous.
The operational impact of this vulnerability extends beyond simple service disruption, as it can potentially compromise the entire network availability for mobile subscribers. When exploited successfully, the denial of service condition can affect multiple connected users simultaneously, causing widespread connectivity issues and service degradation. The vulnerability's public disclosure status indicates that threat actors have likely already developed and deployed exploitation tools, making immediate remediation essential for network operators. This situation aligns with CWE-400, which addresses improper handling of resource exhaustion conditions, and represents a classic example of how protocol implementation flaws can lead to catastrophic system failures.
Network operators and security teams should immediately implement the patch referenced as b4707272c1caf6a7d4dca905694ea55557a0545f to address this vulnerability. The patch specifically targets the sgwc_s11_handle_downlink_data_notification_ack function and implements proper validation mechanisms for incoming acknowledgment messages. Organizations should also consider implementing network monitoring solutions to detect anomalous traffic patterns that might indicate exploitation attempts. The ATT&CK framework categorizes this vulnerability under the T1499.004 technique for network denial of service attacks, and the mitigation strategy should include regular vulnerability assessments and patch management procedures to prevent similar issues from arising in other components of the 5G infrastructure stack. Given the critical nature of 5G core network functions, this vulnerability requires immediate attention to maintain service availability and network integrity.