Cyber Resilience

CVE-2023-37015

HighPublic PoC

Published: 22 January 2025

Published
22 January 2025
Modified
22 April 2025
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0031 54.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-37015 is a high-severity Reachable Assertion (CWE-617) vulnerability in Open5Gs Open5Gs. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 45.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2023-37015 is a vulnerability in Open5GS MME versions up to and including 2.6.4, where an assertion failure can be remotely triggered by a malformed ASN.1 packet over the S1AP interface. The issue stems from sending a Path Switch Request message that lacks the required MME_UE_S1AP_ID field, causing the MME to crash. It is classified under CWE-617 with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H), highlighting its critical availability impact.

An unauthenticated attacker with network access to the S1AP interface can exploit this vulnerability by transmitting the malformed Path Switch Request, repeatedly crashing the MME and causing a denial of service. No privileges, user interaction, or special conditions are required beyond network reachability, and the changed scope amplifies the potential disruption to the affected 5G core network component.

Mitigation details are available in the advisory published at https://cellularsecurity.org/ransacked, which was referenced alongside the CVE disclosure on 2025-01-22.

EU & UK References

Vulnerability details

Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `Path Switch Request` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the…

more

MME, resulting in denial of service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Malformed S1AP packet triggers remote assertion failure and MME crash, directly enabling application/system DoS via exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2523Same product: Open5Gs Open5Gs
CVE-2024-24430Same product: Open5Gs Open5Gs
CVE-2024-34235Same product: Open5Gs Open5Gs
CVE-2023-37021Same product: Open5Gs Open5Gs
CVE-2023-37016Same product: Open5Gs Open5Gs
CVE-2023-37017Same product: Open5Gs Open5Gs
CVE-2023-37018Same product: Open5Gs Open5Gs
CVE-2023-37023Same product: Open5Gs Open5Gs
CVE-2024-24427Same product: Open5Gs Open5Gs
CVE-2024-24428Same product: Open5Gs Open5Gs

Affected Assets

open5gs
open5gs
≤ 2.6.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates malformed ASN.1 Path Switch Request packets over S1AP to ensure required MME_UE_S1AP_ID field is present, preventing the assertion failure and MME crash.

prevent

Provides denial-of-service protection against repeated transmission of malformed S1AP packets that crash the MME, limiting attack impact on availability.

prevent

Ensures error handling for missing required fields in S1AP messages does not disclose information or cause exploitable crashes in the MME.

References