CVE-2025-48219 in O2 UK
Summary
by MITRE • 05/18/2025
O2 UK through 2025-05-17 allows subscribers to determine the Cell ID of other subscribers by initiating an IMS (IP Multimedia Subsystem) call and then reading the utran-cell-id-3gpp field of a Cellular-Network-Info SIP header, aka an ECI (E-UTRAN Cell Identity) leak. The Cell ID might be usable to identify a cell location via crowdsourced data, and might correspond to a small physical area (e.g., if the called party is in a city centre). Removal of the Cellular-Network-Info header is mentioned in section 4.4.19 of ETSI TS 124 229.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/18/2025
This vulnerability represents a significant privacy and location tracking risk within the O2 UK telecommunications infrastructure, specifically affecting IMS (IP Multimedia Subsystem) call handling mechanisms. The flaw allows malicious actors to extract Cell ID information from IMS calls through manipulation of SIP (Session Initiation Protocol) headers, specifically targeting the utran-cell-id-3gpp field within the Cellular-Network-Info header. This represents a direct violation of telecommunications privacy standards and exposes subscribers to potential location-based tracking and surveillance. The vulnerability operates at the network protocol level, leveraging legitimate IMS call procedures to extract sensitive location metadata that should remain protected within the telecommunications infrastructure.
The technical implementation of this vulnerability stems from improper handling of SIP headers within the IMS framework, where the Cellular-Network-Info header containing ECI (E-UTRAN Cell Identity) information is not properly sanitized or removed from call signaling messages. This flaw aligns with CWE-200 (Information Exposure) and CWE-312 (Sensitive Data Exposure) categories, as it exposes cellular network location identifiers that can be used to pinpoint subscriber locations with considerable precision. The vulnerability specifically affects the ETSI TS 124 229 standard implementation, which explicitly recommends removal of the Cellular-Network-Info header in section 4.4.19 to prevent such information leakage. The ECI values extracted through this method can be cross-referenced with crowdsourced cellular tower location databases, potentially enabling accurate geolocation of individuals to within a few hundred meters, particularly in urban environments where cell tower density is high.
The operational impact of this vulnerability extends beyond simple privacy concerns to encompass potential security threats including location-based social engineering attacks, stalking, and targeted surveillance operations. When combined with other location data sources, the Cell ID information can be used to construct detailed movement patterns and behavioral profiles of individuals, creating significant risks for personal safety and privacy. The vulnerability affects all subscribers within the O2 UK network who are participating in IMS calls, making it a widespread risk that impacts the entire customer base. Attackers could potentially use this information to identify high-value targets, conduct location-based fraud, or perform coordinated surveillance operations against specific individuals or groups.
Mitigation strategies should focus on immediate implementation of header sanitization within the IMS infrastructure, ensuring that the Cellular-Network-Info SIP header is properly stripped from outgoing calls according to ETSI TS 124 229 specifications. Network operators must implement comprehensive monitoring and logging of SIP header contents to detect and prevent unauthorized information leakage. The vulnerability demonstrates weaknesses in telecommunications security controls and highlights the importance of adhering to established standards for information protection. Additional measures should include network segmentation to limit exposure, regular security assessments of IMS implementations, and implementation of automated detection systems for similar information leakage vulnerabilities. This issue also underscores the need for continuous security testing of telecommunications infrastructure against known attack patterns and the importance of proper configuration management for SIP-based systems. The vulnerability serves as a reminder of the critical importance of protecting location metadata in mobile networks and the potential consequences of failing to implement proper information flow controls.