Open5GS up to 2.7.5 PFCP Session Establishment Request lib/pfcp/rule-match.c assertion
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.9 | $0-$5k | 0.26 |
Summary
A vulnerability classified as problematic has been found in Open5GS up to 2.7.5. This vulnerability affects the function decode_ipv6_header/ogs_pfcp_pdr_rule_find_by_packet of the file lib/pfcp/rule-match.c of the component PFCP Session Establishment Request Handler. The manipulation leads to assertion.
This vulnerability is documented as CVE-2025-15176. The attack can be initiated remotely. Additionally, an exploit exists.
It is suggested to install a patch to address this issue.
Details
A vulnerability was found in Open5GS up to 2.7.5. It has been rated as problematic. This issue affects the function decode_ipv6_header/ogs_pfcp_pdr_rule_find_by_packet of the file lib/pfcp/rule-match.c of the component PFCP Session Establishment Request Handler. The manipulation with an unknown input leads to a assertion vulnerability. Using CWE to declare the problem leads to CWE-617. The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. Impacted is availability.
The advisory is shared at github.com. The identification of this vulnerability is CVE-2025-15176. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details as well as a public exploit are known.
The exploit is available at github.com. It is declared as proof-of-concept.
Applying the patch b72d8349980076e2c033c8324f07747a86eea4f8 is able to eliminate this problem. The bugfix is ready for download at github.com.
The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-205559). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Name
Version
License
Website
- Product: https://github.com/open5gs/open5gs/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CNA CVSS-B Score: 🔒
CNA CVSS-BT Score: 🔒
CNA Vector: 🔒
CVSSv3
VulDB Meta Base Score: 6.0VulDB Meta Temp Score: 5.9
VulDB Base Score: 5.3
VulDB Temp Score: 4.8
VulDB Vector: 🔒
VulDB Reliability: 🔍
NVD Base Score: 7.5
NVD Vector: 🔒
CNA Base Score: 5.3
CNA Vector: 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: AssertionCWE: CWE-617
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Access: Public
Status: Proof-of-Concept
Download: 🔒
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔒
Patch: b72d8349980076e2c033c8324f07747a86eea4f8
Timeline
12/28/2025 Advisory disclosed12/28/2025 VulDB entry created
01/01/2026 VulDB entry last update
Sources
Product: github.comAdvisory: 4180
Status: Confirmed
Confirmation: 🔒
CVE: CVE-2025-15176 (🔒)
GCVE (CVE): GCVE-0-2025-15176
GCVE (VulDB): GCVE-100-338561
EUVD: 🔒
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 12/28/2025 09:30Updated: 01/01/2026 06:22
Changes: 12/28/2025 09:30 (60), 12/28/2025 10:17 (3), 12/28/2025 10:18 (12), 12/29/2025 10:33 (1), 12/29/2025 12:05 (31), 01/01/2026 06:22 (11)
Complete: 🔍
Submitter: ZiyuLin
Cache ID: 216:055:103
Submit
Accepted
- Submit #719830: Open5GS v2.7.5 Reachable Assertion (by ZiyuLin)
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
I am writing to dispute the current CVSS score of 3.1 assigned to this vulnerability. I strongly believe the score should be 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
My assessment is based on the technical facts of the exploit and consistency with recently scored vulnerabilities of the same nature.
1. Reference to Similar Vulnerability (Precedent) A nearly identical vulnerability, CVE-2025-65559, was recently analyzed by NVD and assigned a score of 7.5.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-65559
Comparison: Just like CVE-2025-65559, the vulnerability I reported involves a remote attacker sending a malformed packet to a network service (UPF/Core Network), causing the process to crash immediately. There is no technical justification for scoring my finding (3.1) so drastically lower than its peer (7.5).
2. Technical Justification for Vector Changes
AV: Local (L) -> Network (N): The target service listens on a network interface (e.g., UDP port). The attack is performed remotely by sending packets over the network, identical to the vector in CVE-2025-65559. Local access is NOT required.
PR: Low (L) -> None (N): The crash occurs during the packet parsing stage, prior to any authentication. No credentials are needed to send the UDP packet that triggers the crash.
A: Low (L) -> High (H): The vulnerability causes a fatal crash (Segfault/Panic) of the daemon. The service stops completely and requires a restart. This constitutes a total loss of availability.
I kindly request you to align the scoring of this vulnerability with the established standard for remote DoS vulnerabilities (7.5) to maintain consistency in the database.
Best regards,
Ziyu
Do you know our Splunk app?
Download it now for free!