CVE-2026-25657: Ericsson Packet Core Gateway Denial-of-Service Vulnerability (PCG < 1.30)
Ericsson's Packet Core Gateway (PCG) has a vulnerability that allows an attacker on the local network to send specially crafted messages that crash or degrade the service. The good news: once the attacker stops, the system recovers automatically without manual intervention. This is a denial-of-service issue—it takes the service offline temporarily but doesn't steal data or give attackers permanent control. Organizations running PCG versions before 1.30 are at risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-228
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Syntactically Invalid Structure (CWE-228) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-25657 is an Improper Handling of Syntactically Invalid Structure flaw (CWE-228) in Ericsson PCG that permits denial of service via crafted message payloads. The vulnerability resides in the packet core gateway's message parsing logic, which fails to properly validate or sanitize incoming structures. Continuous transmission of these messages causes repeated crashes or severe degradation. Recovery occurs naturally when the attack ceases, indicating no persistent system corruption. The attack vector requires adjacent network access (AV:A), involves no special privileges (PR:N), and requires no user interaction (UI:N).
Business impact
Service interruptions to packet core gateway functions directly impact mobile network operations. If PCG handles critical packet routing, authentication, or policy enforcement in your telecom infrastructure, repeated denial-of-service attacks would disrupt subscriber connectivity and revenue-generating services. The intermittent nature—recover-after-attack-stops—means impact is operational rather than data-breaching, but availability SLAs and customer satisfaction are at stake. For carriers or large enterprises with PCG deployments, this warrants prioritization in environments exposed to untrusted adjacent networks.
Affected systems
Ericsson Packet Core Gateway versions prior to 1.30 are vulnerable. Check your deployed version immediately. The attack requires adjacent network access, so exposure depends on your network architecture: systems on isolated or tightly segmented networks have lower risk than those exposed to untrusted VLANs, partner networks, or cloud environments where adjacent-network threats are realistic.
Exploitability
Exploitation is straightforward from a technical perspective—an attacker needs only to craft and repeatedly send a malformed message. No authentication, privilege escalation, or complex social engineering is required. The barrier to entry is low if the attacker has network proximity. However, the CVSS score of 6.5 reflects that impact is availability-only (no confidentiality or integrity breach) and adjacency is required. This is not a trivial vulnerability for exposed systems, but less critical than remote code execution or data exfiltration scenarios.
Remediation
Upgrade Ericsson PCG to version 1.30 or later. This is the definitive remediation. If immediate patching is not feasible, implement network segmentation to restrict access to PCG from untrusted or external networks. Monitor for abnormal traffic patterns or repeated malformed messages directed at PCG. Consider isolating PCG to a management or internal-only network segment if business operations permit.
Patch guidance
Contact Ericsson support or consult the official Ericsson security advisory for PCG 1.30+ download and deployment steps. Verify patch version numbers directly from Ericsson's advisory before deployment. Plan patching during maintenance windows to minimize service disruption, particularly if your PCG instances are load-balanced or in active/standby configurations. Test the patched version in a non-production environment first, especially if you run custom configurations or third-party integrations with PCG.
Detection guidance
Monitor PCG logs for parsing errors, syntax validation failures, or repeated crash cycles that correspond with no clear traffic anomalies. Inspect network traffic for unusual packet structures or patterns targeting PCG ports. Implement IDS/IPS rules to detect and block known malformed message patterns if Ericsson publishes indicators. Baseline normal PCG behavior (CPU, memory, restart events) and alert on deviations. If you observe periodic availability spikes with spontaneous recovery, investigate whether an attack is in progress.
Why prioritize this
Although the CVSS score is medium (6.5), PCG is critical infrastructure in telecom networks. Denial-of-service attacks on core gateway functions can cascade, affecting millions of subscribers. The low barrier to exploitation from adjacent networks and the simplicity of the attack vector mean this should be prioritized for patching in production environments, especially if PCG is exposed to partner networks, cloud interconnects, or less-trusted segments. Non-production or fully isolated systems can be addressed with lower urgency.
Risk score, explained
The CVSS 3.1 score of 6.5 (MEDIUM) reflects availability impact only (no confidentiality or integrity loss), adjacency-level access requirement (AV:A), and lack of privilege or user interaction needs. The score would be higher if the vulnerability allowed remote access or data exfiltration. It is not marked as critical, but criticality in practice depends on your network topology and PCG's role in your infrastructure. A patch is available and should be applied promptly to production deployments.
Frequently asked questions
Does this vulnerability allow an attacker to steal subscriber data or gain control of the network?
No. CVE-2026-25657 is a denial-of-service vulnerability only. It does not permit data theft, system compromise, or privilege escalation. Attackers can disrupt service but cannot exfiltrate information or gain persistent access. Once the attack stops, the system recovers fully.
What does 'adjacent network access' mean, and am I at risk?
Adjacent network access (AV:A) means the attacker must be on the same network segment or VLAN as the PCG—not remotely exploitable over the internet. Risk depends on your architecture: if PCG is isolated to internal networks only, risk is lower. If it's exposed to partner networks, untrusted cloud segments, or DMZs, risk is higher. Review your network diagram and restrict PCG access accordingly.
Can I just restart PCG to fix the issue, or do I need to patch?
Restarting PCG after an attack stops will restore service, but it does not fix the underlying vulnerability. Attackers can exploit it again immediately. You must upgrade to PCG 1.30 or later. Restarting is a temporary workaround only and should not replace patching.
How do I know if my PCG is running a vulnerable version?
Check your PCG version via the administration console or CLI—consult Ericsson's documentation for your deployment. If the version is below 1.30, you are vulnerable and should plan an upgrade. Contact Ericsson support if you are unsure of your version or need guidance on patching.
This analysis is based on publicly available CVE data and the vendor's advisory. Verify all patch versions, download links, and deployment instructions directly from Ericsson's official security advisory before implementing changes. This vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, but absence from KEV does not indicate low risk—assess your specific network architecture and PCG exposure independently. Test all patches in non-production environments before production deployment. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence; use it as one input in your vulnerability risk assessment process. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2018-25423MEDIUMBuffer Overflow Denial of Service in Arm Whois 3.11
- CVE-2018-25435MEDIUMZeusCart 4.0 CSRF Vulnerability – Account Deactivation Risk
- CVE-2019-25716MEDIUMDräger Patient Monitor Denial-of-Service Vulnerability