Submit #808799: Dotouch XproUPF v2.0.0-release-088aa7c4 impinfo

TitleDotouch XproUPF v2.0.0-release-088aa7c4 imp
Description#Title UPF Session Hijacking via Duplicate PDR Injection and Higher-Priority Malicious FAR Redirection #Description The UPF exhibits a critical logic vulnerability in PFCP session handling. The system fails to enforce the uniqueness of PDR IDs within a single PFCP session, allowing multiple PDR entries with the same ID to coexist. When an attacker submits a crafted PFCP Session Modification Request that includes a duplicated PDR ID with a lower Precedence value (higher priority) than the existing legitimate rule, the UPF datapath misinterprets the rule hierarchy. Consequently, the UPF prioritizes the malicious PDR and its associated FAR, redirecting user-plane traffic to an attacker-controlled outer-header destination. #Step to Reproduce Establish a legitimate PFCP session on the target UPF. Identify an existing, active PDR ID (e.g., PDR ID: 3) and its associated legitimate FAR. Send a crafted PFCP Session Modification Request targeting the active session. In the request, inject a duplicated PDR entry using the same PDR ID identified in Step 2. Set the Precedence value of the malicious PDR lower than the legitimate rule to ensure it takes priority during datapath processing. Configure the malicious PDR's FAR with Outer Header Creation pointing to an attacker-controlled IP/TEID. Trigger traffic matching the victim session. Observe the traffic being redirected to the attacker-controlled endpoint due to the higher-priority malicious rule match. # Impact Successful exploitation results in full user-plane session hijacking. This leads to several critical security consequences: Traffic Interception/Eavesdropping: Unauthorized monitoring of sensitive user data. Man-in-the-Middle (MitM): Ability to inspect, modify, or drop traffic before forwarding. Denial of Service: Traffic can be blackholed by redirection to non-existent endpoints. Integrity/Confidentiality Risk: Compromised traffic flows may expose private information or allow for malicious payload injection. #Confirmation Statement This issue has been confirmed by the security team from Dotouch. For further technical validation or coordination, please contact Jay at [email protected].
User
 LinZiyu (UID 94035)
Submission04/21/2026 11:01 (3 months ago)
Moderation05/09/2026 11:29 (18 days later)
StatusAccepted
VulDB entry362450 [Dotouch XproUPF 2.0.0-release-088aa7c4 access control]
Points17

Want to know what is going to be exploited?

We predict KEV entries!