MEDIUM 6.5

CVE-2026-25658: Ericsson Packet Core Gateway Availability Vulnerability (CWE-230)

Ericsson Packet Core Gateway versions before 1.30 contain a vulnerability where attackers can send specially crafted messages to degrade service availability. The system crashes repeatedly while the attack continues, but recovers automatically once the attacker stops. This is a network-based attack requiring no authentication or user interaction.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-230
Affected products
1 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Missing Values (CWE-230) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-25658 is an Improper Handling of Missing Values vulnerability (CWE-230) in Ericsson Packet Core Gateway. The flaw allows an attacker on the network segment to repeatedly trigger service degradation through malformed messages that the PCG fails to validate or sanitize properly. The attack surface is limited to adjacent network positions (AV:A), requires no privileges or user involvement, and does not compromise confidentiality or integrity—only availability. System state recovers upon attack cessation, indicating the vulnerability does not cause permanent corruption.

Business impact

Service degradation on Packet Core Gateway infrastructure directly impacts mobile network operations. Affected operators experience intermittent service failures affecting subscribers on the compromised gateway. The reversible nature of the crash means recovery is automatic, but repeated attacks create operational overhead and potential revenue impact during active exploitation. Critical for mobile operators relying on uninterrupted packet routing and subscriber connectivity.

Affected systems

Ericsson Packet Core Gateway versions prior to 1.30 are vulnerable. Organizations running PCG deployments should confirm their current version against vendor documentation. The vulnerability is specific to this Ericsson product line and does not affect other packet gateway vendors unless explicitly cross-referenced in vendor advisories.

Exploitability

Exploitation requires network access to the PCG (adjacent network segment). No authentication, credentials, or user interaction are required. An attacker must craft specific malformed messages and send them continuously to maintain the degradation effect. The straightforward attack vector and lack of complexity make this exploitable by moderately skilled adversaries with network visibility to the gateway. However, the attack is not stealthy—continuous malicious traffic may be detectable through network monitoring.

Remediation

Upgrade Ericsson Packet Core Gateway to version 1.30 or later. Organizations should verify patch availability through official Ericsson security advisories and plan upgrades during maintenance windows. For environments unable to patch immediately, network-level access controls limiting connectivity to PCG interfaces and traffic filtering on gateway ports may reduce attack surface. Monitor vendor communications for any interim guidance or workarounds.

Patch guidance

Apply Ericsson Packet Core Gateway version 1.30 or later. Verify patch availability and compatibility with your network architecture before deployment. Test patched versions in staging environments to confirm stability and compatibility with dependent systems. Plan deployment during scheduled maintenance to minimize subscriber impact. Coordinate with Ericsson support if blockers or compatibility concerns arise.

Detection guidance

Monitor for sustained, malformed message traffic directed at PCG interfaces. Implement network-based detection on gateway ingress ports for patterns of irregular packets triggering service restarts. Log gateway crash events and correlate timing with suspicious traffic spikes. Alert on repeated restart cycles within short timeframes. Baseline normal PCG traffic to identify anomalous patterns; the attack requires continuous transmission, making it potentially visible on packet captures. Review gateway syslog and system event logs for CWE-230 related processing errors.

Why prioritize this

This is a MEDIUM-severity availability vulnerability with direct impact on mobile network operations. It requires network access (not internet-facing) and does not lead to data breach or system compromise, but repeated exploitation causes measurable service degradation. Prioritize patching in environments where the PCG is exposed to untrusted networks or where availability SLAs are critical. For isolated, tightly controlled PCG deployments, prioritize behind critical vulnerabilities but schedule patching in the near term.

Risk score, explained

CVSS 3.1 score of 6.5 (MEDIUM) reflects: (1) Attack Vector Adjacent—attacker must be on the same network segment; (2) Attack Complexity Low—no special conditions required; (3) Privileges None—no authentication needed; (4) User Interaction None—fully automated; (5) Availability High impact—service degrades while attack persists; (6) Confidentiality and Integrity None—no data compromise. The reversible crash nature and network-proximity requirement prevent a higher score, but the operational impact on telecom infrastructure warrants prompt remediation.

Frequently asked questions

Does this vulnerability affect my Ericsson packet gateway if it's not exposed to untrusted networks?

The attack requires network-adjacent proximity, so PCG instances isolated to trusted internal networks are at lower immediate risk. However, compromised internal systems, supply-chain threats, or lateral movement could introduce attackers to the gateway's network segment. Patching remains advisable regardless of perceived isolation.

Will the gateway recover automatically, or do we need to intervene?

The gateway recovers automatically once the attacker stops sending malicious messages. No manual intervention is required for recovery. However, frequent attacks create operational burden and potential SLA violations. Patching eliminates the vulnerability so the gateway cannot be exploited in this manner.

Are there interim mitigations if we cannot patch immediately?

Restrict network access to the PCG using firewall rules and access control lists to only trusted sources. Implement ingress filtering on gateway ports to block malformed or suspicious traffic patterns. Monitor gateway logs for restart events and investigate spikes in traffic. These are temporary measures—patch as soon as operationally feasible.

How is this different from a denial-of-service attack?

This is a denial-of-service attack, specifically a vulnerability-triggered DoS. Unlike bandwidth-flooding DDoS, this exploits a software flaw requiring only modest traffic to degrade service. The low bandwidth requirement makes it harder to distinguish from legitimate traffic without deep packet inspection.

This analysis is provided for informational purposes and does not constitute legal or professional security advice. Organizations should verify all technical details, including affected versions and patch availability, against official Ericsson security advisories and vendor documentation. CVSS scores and vulnerability classifications are provided as-is from authoritative sources and may be updated by vendors or NIST. SEC.co makes no warranty regarding the accuracy, completeness, or applicability of this content to your specific environment. Consult with qualified security and network engineering staff before making remediation decisions. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).