MEDIUM 6.5

CVE-2025-59174: Ericsson Packet Core Controller Denial-of-Service Vulnerability (v1.39 Patch)

Ericsson's Packet Core Controller (PCC) software versions before 1.39 can be knocked offline or severely degraded when an attacker on the same network segment sends large numbers of specially crafted messages. An attacker doesn't need credentials or user interaction to trigger the problem, but they do need network access to the affected system. This is a denial-of-service vulnerability that could disrupt telecom packet routing and control functions.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-228
Affected products
1 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Ericsson Packet Core Controller (PCC) versions prior to 1.39 contain a vulnerability where an attacker sending a large volume of specially crafted messages may cause service degradation.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2025-59174 is a denial-of-service flaw in Ericsson PCC that stems from improper handling of crafted network messages (CWE-228: Improper Handling of Missing Values). The vulnerability allows unauthenticated, adjacent-network attackers to exhaust system resources or crash services by flooding the controller with specially constructed packets. The attack requires network-layer access (AV:A) rather than remote internet access, but bypasses authentication controls (PR:N) and requires no user interaction (UI:N). The impact is strictly availability-focused; no data confidentiality or integrity is affected.

Business impact

Degradation or outage of Packet Core Controller services can directly impact mobile network packet routing, call control, and session management. In a telecom environment, this translates to dropped calls, interrupted data sessions, and potential revenue loss during the attack window. Organizations operating legacy Ericsson PCC infrastructure should consider the operational criticality of affected instances and the prevalence of attackers with adjacent network access in their threat model.

Affected systems

Ericsson Packet Core Controller versions before 1.39 are vulnerable. Operators running PCC in production environments should inventory their deployment versions immediately. Earlier versions including 1.38 and below are in scope; verify your specific version against Ericsson's advisory to confirm exposure.

Exploitability

The attack has low complexity and no authentication requirement, but is constrained to adjacent network segments (same LAN or directly connected networks). It is not remotely exploitable from the general internet. In datacenter or managed network environments where adjacent-network access is tightly controlled, practical exploitability is lower. In less-segmented deployments or where untrusted devices share the same network segment as PCC, risk increases significantly. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

Remediation

Upgrade Ericsson Packet Core Controller to version 1.39 or later. This is the only available mitigation; no workarounds or interim patches are documented. Plan upgrades during maintenance windows to minimize service disruption. Before deploying, verify compatibility with your broader Ericsson stack and test in a staging environment. If immediate patching is not feasible, implement network segmentation to restrict access to PCC management and data interfaces only to trusted administrative and peer systems.

Patch guidance

Obtain the PCC 1.39 release or later directly from Ericsson's customer portal or support team. Verify the patch version signature and integrity before deployment. Ericsson typically provides detailed upgrade procedures and rollback guidance with each release; follow their documented change management process. Test failover and redundancy scenarios post-upgrade if PCC is deployed in a high-availability configuration. Plan for potential service interruption during the upgrade window.

Detection guidance

Monitor for unusual message volumes or malformed packet patterns targeting Packet Core Controller interfaces. Intrusion detection systems and NetFlow analysis can help identify flooding patterns from adjacent network segments. Review PCC logs for repeated session resets, resource exhaustion warnings, or service crashes correlating with inbound traffic spikes. Implement rate-limiting or traffic shaping on upstream network devices to reduce the blast radius of potential flooding attacks.

Why prioritize this

Although rated MEDIUM severity, this vulnerability directly impacts critical telecom infrastructure. The low barrier to attack (no authentication) and the functional impact on call and data session handling make it worthy of rapid remediation, especially if your PCC instances are exposed to untrusted adjacent networks or shared datacenter environments. The lack of current public exploitation should not delay patching.

Risk score, explained

The CVSS 3.1 score of 6.5 (MEDIUM) reflects the high availability impact (A:H) but is lowered by the constraint that the attacker must already have adjacent-network access (AV:A). The score does not account for business context; a telecom operator's dependence on PCC availability and their network segmentation posture will drive actual organizational risk higher or lower than the base score.

Frequently asked questions

Do we need internet-facing access for an attacker to exploit this?

No. The vulnerability requires adjacent-network access (same LAN or directly connected segment). It is not remotely exploitable from the internet, which limits the attack surface unless your network perimeter includes untrusted or compromised adjacent systems.

Is there a temporary fix while we plan the upgrade?

No documented workaround exists. The best interim controls are network segmentation (restrict which hosts can reach PCC), traffic rate-limiting, and enhanced monitoring for anomalous inbound message patterns. However, patching to version 1.39 or later is the only reliable fix.

Is this vulnerability being actively exploited in the wild?

No. CVE-2025-59174 is not currently listed on CISA's Known Exploited Vulnerabilities catalog, indicating no public weaponization or active exploitation campaigns as of the publication date.

What is the expected downtime for upgrading?

Upgrade duration depends on your deployment topology and Ericsson's procedures for your specific PCC version. Consult Ericsson's upgrade guide and plan for a maintenance window; if PCC is redundant, implement a rolling upgrade strategy to minimize service impact.

This analysis is based on publicly available CVE data and CVSS metrics as of the publication date. Ericsson vulnerability details, patch availability, and compatibility matrices are subject to change; always consult Ericsson's official security advisories and product documentation before making patch or deployment decisions. SEC.co provides this information for informational purposes and makes no warranty regarding the completeness, accuracy, or fitness of this content for any particular purpose. Organizations are responsible for their own vulnerability assessment and remediation planning. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).