CVE-2025-15555
Published: 04 February 2026
Summary
CVE-2025-15555 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Open5Gs Open5Gs. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-15555 is a stack-based buffer overflow vulnerability in Open5GS versions up to and including 2.7.6. The issue affects the hss_ogs_diam_cx_mar_cb function in the file src/hss/hss-cx-path.c within the VoLTE Cx-Test component. It arises from manipulation of the OGS_KEY_LEN argument, as documented with CWEs 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), 121 (Stack-based Buffer Overflow), and 787 (Out-of-bounds Write).
Attackers can exploit this vulnerability remotely without authentication or user interaction, given its CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, yielding a base score of 7.3 (High). Unauthenticated remote actors may achieve limited impacts on confidentiality, integrity, and availability, potentially leading to partial data disclosure, modification, or service disruption on affected Open5GS deployments.
Mitigation is available via the patch commit 54dda041211098730221d0ae20a2f9f9173e7a21 in the Open5GS GitHub repository. Security practitioners should apply this patch promptly or upgrade to a version incorporating it. Additional details, including discovery and discussion, are provided in GitHub issue #4177.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206778
Vulnerability details
A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function hss_ogs_diam_cx_mar_cb of the file src/hss/hss-cx-path.c of the component VoLTE Cx-Test. The manipulation of the argument OGS_KEY_LEN results in stack-based buffer overflow. The…
more
attack may be launched remotely. The patch is identified as 54dda041211098730221d0ae20a2f9f9173e7a21. A patch should be applied to remediate this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated stack buffer overflow in a network service (Open5GS HSS) directly enables initial access via exploitation of a public-facing or remotely reachable application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch (commit 54dda041) that eliminates the stack buffer overflow in hss_ogs_diam_cx_mar_cb.
Implements memory-protection mechanisms that block out-of-bounds writes on the stack, directly mitigating CWE-121/787.
Requires validation of the OGS_KEY_LEN argument and related inputs to enforce buffer bounds before the overflow can occur.