Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Syntactically Invalid Structure (CWE-228) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops.
AnalysisAI
Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows an adjacent-network attacker to degrade service by continuously transmitting malformed messages that the gateway fails to parse safely. The condition causes recurring crashes that persist only while the attack is active, with automatic recovery once it stops, and no public exploit identified at time of analysis.
Technical ContextAI
Ericsson PCG is a 5G core network function combining SMF (Session Management Function) and UPF (User Plane Function) responsibilities, deployed by mobile operators to handle subscriber session management and user-plane packet forwarding. The flaw is rooted in CWE-228 (Improper Handling of Syntactically Invalid Structure), meaning a parser within the PCG's message-handling path does not gracefully reject malformed inputs and instead enters a fault state. The CPE cpe:2.3:a:ericsson:packet_core_gateway_(pcg) confirms the affected product is the PCG application itself, and the AV:A vector indicates the vulnerable interface is reachable from an adjacent network segment such as an operator's signaling or transport network rather than the public internet.
RemediationAI
Vendor-released patch: PCG version 1.30 - operators should upgrade to PCG 1.30 or later following Ericsson's standard core-network change management process, with details at https://www.ericsson.com/en/about-us/security/psirt/cve-2026-25657. Until the upgrade window is available, compensating controls include restricting reachability to the PCG's signaling and management interfaces to known peer nodes only via ACLs at the transport layer, enabling rate-limiting or anomaly detection on signaling traffic to suppress repeated malformed messages, and tightening segmentation of the mobile core so that lateral access from less-trusted operator network zones is blocked; these controls reduce exposure but may add operational overhead, complicate legitimate inter-node communication during failover, and will not stop an attacker who already has a foothold inside a trusted peer.
Directory traversal vulnerability in the Instance Monitor in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5
The Ericsson-LG iPECS NMS A.1Ac login portal has a SQL injection vulnerability in the User ID and password fields that a
The Ericsson-LG iPECS NMS A.1Ac web application uses incorrect access control mechanisms. Rated critical severity (CVSS
In Ericsson Network Location before 2021-07-31, it is possible for an authenticated attacker to inject commands via file
The Ericsson-LG iPECS NMS A.1Ac web application discloses sensitive information such as the NMS admin credentials and th
In Ericsson ECM before 18.0, it was observed that Security Provider Endpoint in the User Profile Management Section is v
Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/download?filename=../ URIs. Rated high severity (CVSS
XSS exists in Ericsson Active Library Explorer (ALEX) 14.3 in multiple parameters in the "/cgi-bin/alexserv" servlet, as
Open redirect vulnerability in the 3PI Manager in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 all
In Ericsson ECM before 18.0, it was observed that Security Management Endpoint in User Profile Management Section is vul
In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS v
In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34821
GHSA-jvw3-jcj6-6qc7