CVE-2026-25659: Ericsson Packet Core Gateway DoS Vulnerability Analysis
Ericsson's Packet Core Gateway (PCG) has a vulnerability that allows attackers on the local network to degrade service by repeatedly sending specially crafted messages. The system becomes unresponsive while attacks continue, but recovers normally once the attacker stops. This is not a persistent damage vulnerability—it's a denial-of-service condition that requires active, ongoing attack traffic.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-230
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Missing Values (CWE-230) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-25659 is an improper handling of missing values (CWE-230) in Ericsson PCG prior to version 1.30. The flaw exists in message processing logic that fails to validate or handle certain missing fields in incoming packets. When an attacker sends specially crafted messages lacking expected values, the gateway enters a degraded state, consuming resources or entering error loops. The vulnerability requires network adjacency (AV:A) and no authentication, making it exploitable by any actor on the same local network segment. The system does not suffer permanent compromise and restarts recovery once malicious traffic ceases.
Business impact
Service availability is the primary concern. PCG handles packet gateway functions critical to mobile network operations. An active attack causes temporary but disruptive service degradation, affecting call routing, data session establishment, or packet forwarding depending on PCG's role in your architecture. Unlike corruption or data theft, the impact is operational—users experience connection delays or failures. Recovery is automatic, reducing incident response overhead, but repeated attacks create operational friction and potential SLA violations. The local network requirement limits exposure in well-segmented environments but increases risk in enterprises with permissive internal network trust models.
Affected systems
Ericsson Packet Core Gateway versions prior to 1.30 are vulnerable. Verify your deployed version against vendor documentation. Later versions (1.30 and beyond) are not affected. This vulnerability does not impact other Ericsson products or competing gateway platforms. Assess your PCG footprint across central office, regional, and distributed deployments.
Exploitability
Exploitability is straightforward but requires network positioning. An attacker must be on the same local network segment (AV:A) as the PCG—either an internal threat actor or someone with lateral access following a perimeter compromise. No authentication, special privileges, or user interaction is needed; the attack is fully automated. Attack complexity is low (AC:L), meaning a standard crafted packet is sufficient; no race conditions or timing exploitation is required. The barrier to exploitation is low for insiders or compromised internal systems, moderate for external attackers in environments without network segmentation.
Remediation
Upgrade Ericsson PCG to version 1.30 or later. This is a straightforward patch remediation with no known workarounds for earlier versions. Coordinate with Ericsson and your network operations team to schedule upgrades, accounting for change windows and redundancy requirements. Pending patching, implement network segmentation to restrict access to PCG management and control interfaces to trusted administrative networks only. Monitor for unusual packet patterns or message formats targeting PCG.
Patch guidance
Contact Ericsson to obtain version 1.30 or later through your standard support channels. Verify patch availability and compatibility with your current PCG configuration, licensing, and dependent systems. Test the upgrade in a staging environment first, particularly if you rely on PCG for critical call routing or data sessions. Plan for minimal service interruption by leveraging redundancy or scheduled maintenance windows. Confirm version after deployment using Ericsson diagnostics or system information commands.
Detection guidance
Monitor PCG logs and metrics for unusual message rejection rates, processing errors, or CPU/memory spikes correlating with inbound packet bursts. Network detection should focus on identifying malformed or incomplete packets with missing expected header fields destined for PCG ports. Establish baseline metrics for normal PCG load and alert on deviations. If available, enable PCG debug logging to capture packet details during suspected attacks. Correlation with network segmentation logs may reveal lateral movement from compromised internal systems.
Why prioritize this
This vulnerability merits medium-priority attention. It requires network adjacency, limiting broad internet exposure, but affects core infrastructure (packet gateway) in telecom or enterprise mobile network environments. The denial-of-service impact is disruptive but temporary and recoverable, reducing post-incident severity compared to data breach or permanent system compromise. Organizations with strict network segmentation can justify a longer timeline; those with flat internal networks or critical mobile dependencies should prioritize patching sooner. The CVSS 6.5 MEDIUM score reflects high availability impact (A:H) constrained by local network requirement.
Risk score, explained
The CVSS 3.1 score of 6.5 MEDIUM (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects a localized but operationally significant vulnerability. Attack Vector (AV:A) limits scope to the local network, preventing remote exploitation. Attack Complexity (AC:L) and lack of privilege or user interaction (PR:N, UI:N) indicate a straightforward, automated attack. Confidentiality and Integrity are not impacted (C:N, I:N), ruling out data compromise. Availability impact is high (A:H) due to service degradation. The score appropriately weights operational disruption against the network adjacency requirement.
Frequently asked questions
If PCG recovers automatically after the attack stops, why do we need to patch?
Automatic recovery is helpful for resilience, but it does not prevent the attack. An attacker can repeat the malicious traffic indefinitely, creating persistent operational disruption, SLA violations, and customer impact. Patching eliminates the vulnerability so the attack cannot degrade service in the first place. Automatic recovery is a safety net, not a substitute for fixing the root cause.
Does this vulnerability expose our data or enable unauthorized access?
No. The vulnerability causes service degradation (availability impact) but does not compromise confidentiality or integrity. Attackers cannot read, modify, or exfiltrate data via this flaw. It is purely a denial-of-service condition. Other security controls (authentication, encryption, access lists) are unaffected.
Our PCG is isolated on a private network with no direct internet access. Are we still at risk?
Risk is significantly reduced but not eliminated. You are safe from external attackers. Internal threats—compromised workstations, supply chain partners with network access, or unauthorized employees—could still exploit the vulnerability. Review your network segmentation policies and access controls for internal systems that can reach PCG.
What is the difference between this flaw and a crash vulnerability?
This flaw causes service degradation and resource exhaustion, not a system crash that requires manual restart. The gateway enters an error state or becomes unresponsive while under attack, then recovers automatically when the malicious traffic stops. A true crash would require manual intervention to restart. This design detail reduces incident severity but underscores the need to prevent the attack in the first place.
This analysis is based on publicly available vulnerability data as of the publication date. Exploit code is not provided; this explainer is for defensive purposes only. Always verify patch availability, compatibility, and testing in your environment with Ericsson support before deploying production updates. Network segmentation, monitoring, and incident response procedures should be in place as complementary controls alongside patching. SEC.co makes no warranty as to the completeness or accuracy of third-party vendor information referenced herein. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-25658MEDIUMEricsson Packet Core Gateway Availability Vulnerability (CWE-230)
- CVE-2025-59174MEDIUMEricsson Packet Core Controller Denial-of-Service Vulnerability (v1.39 Patch)
- CVE-2026-25657MEDIUMEricsson Packet Core Gateway Denial-of-Service Vulnerability (PCG < 1.30)
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability