Cyber Resilience

CVE-2025-15555

MediumPublic PoC

Published: 04 February 2026

Published
04 February 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0052 39.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-15555 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Open5Gs Open5Gs. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-15555 is a stack-based buffer overflow vulnerability in Open5GS versions up to and including 2.7.6. The issue affects the hss_ogs_diam_cx_mar_cb function in the file src/hss/hss-cx-path.c within the VoLTE Cx-Test component. It arises from manipulation of the OGS_KEY_LEN argument, as documented with CWEs 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), 121 (Stack-based Buffer Overflow), and 787 (Out-of-bounds Write).

Attackers can exploit this vulnerability remotely without authentication or user interaction, given its CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, yielding a base score of 7.3 (High). Unauthenticated remote actors may achieve limited impacts on confidentiality, integrity, and availability, potentially leading to partial data disclosure, modification, or service disruption on affected Open5GS deployments.

Mitigation is available via the patch commit 54dda041211098730221d0ae20a2f9f9173e7a21 in the Open5GS GitHub repository. Security practitioners should apply this patch promptly or upgrade to a version incorporating it. Additional details, including discovery and discussion, are provided in GitHub issue #4177.

EU & UK References

Vulnerability details

A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function hss_ogs_diam_cx_mar_cb of the file src/hss/hss-cx-path.c of the component VoLTE Cx-Test. The manipulation of the argument OGS_KEY_LEN results in stack-based buffer overflow. The…

more

attack may be launched remotely. The patch is identified as 54dda041211098730221d0ae20a2f9f9173e7a21. A patch should be applied to remediate this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated stack buffer overflow in a network service (Open5GS HSS) directly enables initial access via exploitation of a public-facing or remotely reachable application.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15528Same product: Open5Gs Open5Gs
CVE-2024-24428Same product: Open5Gs Open5Gs
CVE-2023-37013Same product: Open5Gs Open5Gs
CVE-2023-37019Same product: Open5Gs Open5Gs
CVE-2023-37023Same product: Open5Gs Open5Gs
CVE-2023-37020Same product: Open5Gs Open5Gs
CVE-2025-15530Same product: Open5Gs Open5Gs
CVE-2024-24429Same product: Open5Gs Open5Gs
CVE-2024-24427Same product: Open5Gs Open5Gs
CVE-2026-2522Same product: Open5Gs Open5Gs

Affected Assets

open5gs
open5gs
≤ 2.7.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch (commit 54dda041) that eliminates the stack buffer overflow in hss_ogs_diam_cx_mar_cb.

prevent

Implements memory-protection mechanisms that block out-of-bounds writes on the stack, directly mitigating CWE-121/787.

prevent

Requires validation of the OGS_KEY_LEN argument and related inputs to enforce buffer bounds before the overflow can occur.

References